Fortinet FortiAuthenticator Reviews

We primarily use Fortinet FortiAuthenticator to centralize the management of user identity information in Security Architectures, enforce Role-Based authentication, and allow Two Factor authentication with Softclient support.

This is a must-have technology in Fortinet implementations with several gateways and distributed environments.

It is easy to set up and will reduce Network administrators' efforts to integrate diverse identification methods. Must evaluate Single Sing On Mobility Agents to full integration of users position on the network and complete the solution.

Using this product strengthens enterprise security. It offers role-based security policies and User Identity Management with different methods.

This product provides automatization. There is a self-service user portal for registry and support for domain and non-domain guest users, with diverse channels vía hardware tokens, software tokens, e-mail, and SMS.

This solution brings user satisfaction. It reduces the need for network administrator intervention by allowing the user to perform their own registration and resolve their own password problems and issues.

Key Features and Benefits

1. Two-factor/OTP Authentication with FortiToken: Enforce user-based policies. Fortitoken is available in soft and hard versions for flexible usage.  Most Valuable in Mobile Phones App for OTP.
2. Integration with LDAP and AD: This solution integrates with existing enterprise systems and technologies from diverse vendors of user information management systems.
3. LPAD/AD/RADIUS/SYSLOG/KERBEROS/REST API/FSSO and Web Portals: There is flexible integration with these services.
   
4. It is usable in network WAN, wireless, and VPN Scenarios.
5. The domain and guest-users support are good.

I would like to see integration and customization capabilities with the end-user portal to solve authentication issues with diverse implementation scenarios. Specifically, with web applications, enterprise networks, and VPN.

We have been using Fortinet FortiAuthenticator for three years.

This is a stable, set-and-forget product. Logical operations run in the Gateways.

FAC 200E/400E will support environments for hundreds of users, based on Physical Appliances. If future needs are in the scope then I suggest implementing virtual deployments.

Technical support is not needed in any sense. We have three years running without hardware appliance incidents or major issues.

This is the first authentication platform that I have worked with.

The initial setup process will vary from simple to complex and depends on your existing User Identity Systems, integrations, and scale of the network

In-house engineers, properly trained, are responsible for deployment and maintenance.

Our ROI was reached in less than a year. This solution is good in terms of financial returns.

FAC is an affordable solution for Middle Range (200E/400E) and also needs a package of mobility agents (2,000) perpetual.

There is nothing to buy in the gateways (FG) and it is fully integrated.

As a Fortinet customer, the logical evaluation was FAC from the same vendor.

This is a must-have technology in Fortinet deployments with distributed environments.

Fortinet FortiAuthenticator is being used in our clients' companies. These companies are medium to enterprise level.

The feature that I have found most valuable is the fact that you can utilize your tokens across the whole Fortinet fabric once you have the FortiAuthenticator. You can use FortiAuthenticator to provide two-factor authentication among all your network devices as long as they support the RADIUS protocol. Even for servers, especially Windows OS-based servers.

If you have any products that support RADIUS, you will be able to use the two-factor authentication. You can integrate them with the FortiAuthenticator and you can make use of the 2FA token among all our network devices, not just the Fortinet ones.

So far there hasn't been any major feature that we wished for and didn't find, but I would say in regards to bugs, sometimes we face unexpected issues that delay the implementation a little. However, I believe Fortinet will sort this out soon. Hopefully the solution will be more stable overall.

In terms of what additional features we would like to see in the next release, we would to see support for more of the common operating systems. They already support Windows OS, with the use of an agent installed on the windows machine.

However, we would like to see support for Linux-based operating systems for example. This is a shortcoming that I have faced a few times already.
Also a nice addition would be agents for End-user Machines especially Windows OS & MAC OS. 

We've done quite few deployments of Fortinet FortiAuthenticator over the last one and a half years.

Some bugs that we find we can work around, but usually we open the ticket with Fortinet anyway. This is because sometimes we suspect that we do not have the proper understanding or maybe there is something that we need to get an insight on from the technical support because they have their big databases and can provide us with additional valuable information about our cases. Sometimes we may find a workaround, but if we don't know what happened and why, we open a case anyway to get the full details.

Fortinet support is quite good. Their engineers are experienced and well-trained. Generally speaking, we feel that the technical support is capable and know what they're doing. You don't feel that you're speaking to someone who doesn't understand what the product is, which we face sometimes with other vendors. I would say, generally speaking, we are happy with it.

The initial setup is a valuable point on Fortinet products. Most of the time, putting the theory into practice on the devices is quite friendly and straightforward. As long as you can read through the menus, you can find your way around the solution and make it work. A 10 minute surf through the tabs will give you an idea of what you can do and how to do it. Documentations and guides are also available when needed.

This is a high value point on Fortinet - the way everything is laid out in the web UI is user-friendly and quite straightforward. 

Generally speaking, Fortinet prices are competitive enough. It depends on the markets, but in our market, the price sensitiveness is high, especially now with the current economic situation after the COVID-19. This became something to take into consideration even more. Price is always important, but after such a situation, it's even more so. Customers became even more sensitive to the prices. So, price is another value point for Fortinet.

If two-factor authentication is needed also for the end-devices, for example a endpoints or servers, I think FortiAuthenticator is not yet the most mature solution. However, if it is great for network devices, then this product is competitive enough price-wise and easy to use. It just works.

On a scale from 1 to 10, I would say Fortinet FortiAuthenticator is an 8.

We use this solution for two-factor authentication of most of our services. It includes VPN but also many other services that we have on our internet servers. We use the on-premise version because we also want it integrated into our in-house applications. We are customers of Fortinet and I'm a systems administrator. 

Security is such a big issue these days, a password alone is no longer enough for securing identity. In that sense, providing a second layer of authentication for users gives the company some level of comfort. 

I think the ease of deployment is a valuable feature. I like that the interface is intuitive and that natively and easily, it integrates with radios, ILDAP, fan mail, and with any applications supporting those protocols

I'd say that the integration with some other enterprise applications could be improved. For instance, ADFS. FortiAuthenticator does not work natively with ADFS and the company is not looking in that direction. It's one of our in-house applications and it was a challenge integrating with FortiAuthenticator. We had to write a separate, customized adapter for ADFS before we could make it work. We tried to get Fortinet to work on it but I don't think their development team is interested. It's not in their plan. The other challenge was when I integrated with I think VMware - there was an issue between the radio adapter and FortiAuthenticator. Both parties were not ready to work together and the implementation was buggy. 

I believe this solution can be adapted to so many things, depending on the technical side and the implementation engineers. I'd like to see some additional use cases that can be infused into the solution, such as ADFS.

I've been using this solution for two years. 

I haven't had any issues with stability. 

It's a very scalable solution. They now have the option of deployment as a VM, and then they have the hardware. I believe we use the 1000D for the hardware - it's able to support up to 10,000 users. You license the appliance based on the number of users and if you need to add more, you buy additional licenses. Almost everybody in the company uses it and I'd say we've had a total of around 4,000 users.

The technical support is mid-range It's not your wow kind of support but they do have levels of support. The support is in connectivity with their clients and it has to be renewed every year. You might do better if you go through their partners or something similar. They're not really there when it comes to support.

We used RSA SecurID before Fortinet. We switched because of the high costs associated with RSA. I believe that with RSA you need to pay a token license every three years but with Fortinet, once you buy it, you own it. Even if a token is lost, you can always reposition the token and that will not come at any extra cost. It's cost-effective for us. We also have several channels we can use for authentication with FortiAuthenticator. With RSA, users are stuck with either carrying the dongle, the hardware token, or maybe having the mobile application token on their phone. With Fortinet you can decide whether to use a hardware token, soft token, email token, push notification, or SMS. It gives us flexibility and comfort.

Initial setup was pretty straightforward. We were up and running within three days. I carried out the deployment. 

The license is a one-off payment. 

Every environment is obviously different so each user needs to know what they are looking for, and make a decision based on that. This is a cost effective and flexible solution. If a company is looking to use it on their server, it's important to look at the integration channels and your environment, the support. It's important to know that the channels are supported. 

I would rate this solution a seven out of 10. 

Our primary use case is two-factor authentication, and we use it for a handful of our clients.

FortiAuthenticator is really good software that integrates very well with Fortinet products.

The licensing structure is cost-effective for us compared to some of the other solutions that have recurring monthly costs. We like that it has more one-time costs than the monthly recurring cost per user.

Although two-factor authentication has come a long way, there are a lot of companies that are going further. The reason for this is because people are finding ways to compromise traditional, web-based solutions. I would like to see more ways to authenticate, such as adding facial recognition to the two-factor, where you log into your phone or another device. That would be great.

I have had stability issues with FortiAuthenticator.

As long as you purchase the right amount of licensing, it's scalable.

Generally, the technical support is very good. I know some people that work for Fortinet and we haven't had any issues with getting to the right resources when needed.

We have always used Fortinet products.

The initial setup is fairly simple because there's product training available for all of the tools from Fortinet. Our team is fully versed in those products, so it wasn't very difficult.

The licensing fee is less in the long term because it's not a recurring cost.

My advice is that for any solution you want to deploy, you have to ensure that your team is trained so that you can support it. Before FortiAuthenticator goes into play, make sure that your team is trained.

Overall, we are pretty satisfied with FortiAuthenticator.

I would rate this solution a nine out of ten.

The most valuable aspect of the solution is the security. It's great. 

The ease of use is really nice. Using Authenticator, I've been able to actually work better on my authentication due to the fact that I have a single fabric to authenticate control from my firewall and on my access points. Authentication takes place from this area. 

It's easy to use for us due to the fact that, for each and every user, even a Mac user, we're able to easily retrieve them and add them. The authenticator syncs to my system and brings all the users to me under my firewall. 

For us, the solution works quite well. I can't think of an area where improvements are needed. I haven't worked with it too extensively yet, so it's hard to gauge what's lacking.

The solution could be more automated. It should be able to let me automate a lot of things so that what normally is done as a matter of manual processes can be handled quicker. Slow integrations can be taken up/out if there was more automation.

I've only worked with the solution for five or six months at this point. I haven't worked with it extensively, although I do have an understanding of how it works and what to do, as well as how to configure it.

It's a stable product that integrates well with other products (such as FortiNAC). It's reliable. It doesn't give us any problems. We don't have to worry about bugs or glitches of the system crashing.

The solution is scalable. While we have plans to grow it out and integrate it a bit more with other solutions, we're not at that stage yet.

We are a company of about 200 people. The whole organization uses it at this point. All authentication happens through FortiAuthenticator.

I'm really happy with the technical support. They are responsive and knowledgable.

Before using FortiAuthenticator we were not using anything else. We just were controlling everything from our Fortinet firewall. That was the only equipment which we had at that point in time. Now, we have got FortiAuthenticator.

Going forward we might go for FortiNAC. That might be in the cards for us. However, we're not immediately going to make the switch as it offers access control.

The initial setup wasn't a problem at all. It was handled by certified Fortinet engineers. For that reason, it wasn't complex or difficult.

We had certified Fortinet engineers assist us with the initial implementation. They handled the setup and configurations as well.

We're just end users. We don't have a special relationship with the company.

We're using the latest version of the solution. It might be something around version six.

I would recommend FortiAuthenticator to other organizations.

It is really a good product. Somebody looking for a good security product should go with FortiGate products. New users should explore all the features and see how they can maximize usage.

Overall, I'd rate the solution eight out of ten.

Our primary use case for Fortinet FortiAuthenticator is, first of all, as a two-factor VPN for enhanced access security. We use this product to provide secure access for all of our employees. 

Our other use cases have to do with using FortiAuthenticator for other security projects which includes things like access to some important web applications. 

One of the things I find most valuable in FortiAuthenticator is the detail in the logs. The log features are very good and the detail makes it easier to control what happens in the environment. 

Another valuable feature is that it is an on-premise solution. Because of some regulations, we can not use this particular type of product for security on cloud. We chose FortiAuthenticator because it is an on-premise solution. 

There is nothing that really stands out as something that needs desperately to be added or improved. We are using Fortinet all the time, we know their GUIs, so we can manage well with FortiAuthenticator also. 

The main problem now is not exactly with the product itself. We are using FortiAnalyzers. But when we use that product with FortiAuthenicators, we can not use SQL language to access data from the FortiAnalyzers database. When we use it with FortiGate, we can query the FortiAnalyzers database, but it is not possible to do it directly with the FortiAuthenicators. This integration should be better. 

We have not really faced any problems with stability up until this point. The product has not given us any reason to question the stability. 

We have not needed to use the Fortinet technical support up until now. I do not know about it firsthand. The product is very easy-to-use and someone can easily manage working with it, so we do not need any support. We do have the support contract, but we have not used it at all. 

The initial setup was not complex at all. It is actually very easy. 

I think FortiAuthenticator is more expensive than other products like Cisco Duo. It could be more competitively priced. 

We want to use high-availability in our products, so we need to get a higher grade and more expensive license for that purpose. 

On a scale from one to ten where one is the worst and ten is the best, I would rate Authenticator as about a seven-point-five. If it has to be seven or eight, I would choose eight. 

I have not used many products in that category with our site, but we can do what we want and need to do with that product. 

We use this product for SSL two-factor authentication and FortiToken management.

It does the job I paid for, but the graphical interface could be improved. If we take FortiGate or Fortinet, the graphical user interface is better designed. I think they can work on this.

It would be good to remove the FortiAuthenticator or to combine FortiAuthenticator and Fortinet. That would provide a single platform that can manage network access and user management. It doesn't make sense for me to sell FortiAuthenticator to a customer and then sell them Fortinet as well. I think they should just combine them into one solution.

The solution is stable. I installed it two years ago, but we rarely check the internet for changes. It's really stable. We don't have problems.

I think it's scalable. There are two kinds of appliances: virtual and physical. If you do a good sizing, the physical one can remain with the customer for a long time. The virtual one can be increased as you need. You can pay as you go with them. You purchase a base license and add to it as needed.

I have done an installation at an operator with over 200 users. That is the biggest one I've done.

I don't usually have problems with this solution so I rarely test the support features. I cannot evaluate the support team.

It was straightforward to implement and took one day to deploy.

I would rate this solution as seven out of ten. I know there are other solutions that have a more modern graphical interface and provide better user management functionality. We need to tell the customer to get two solutions instead of doing the job with just one. I think I could give eight or nine to another solution, but FortiAuthenticator should be a seven.

I am a solution architect and my company works purely for Fortinet, implementing all versions on a daily basis, so we're not end-users. The company is an exclusive distributor implementing the product.

The primary use case of the product is usually for multifactor authentication using two-factor authentication with tokens. Sometimes people require two factors with a token. Sometimes they need the latest POC. I do a proof of concept for windows login. They need the agent who authenticates with SMS, token or email.

Usually, I do an integration with the firewall. I would prefer to do it with FortiGate, but sometimes I need to integrate as a radius client and it depends on which firewall. I prefer FortiGate. Sometimes they'll need to add an SMS as the second factor of the two-factor authentication. But usually, we do it as an unarmed radius FortiGate, or firewall would be for a radius client and radius server. Sometimes clients will ask whether we have integration with a social portal like Facebook, but we don't. 

There aren't any major features that I think should be improved. I like this product. As a multifactor authentication, we have the SAML function. If you compare it with RSA or Gemalto, it does a good job. I'm able to perform multifactor authentication in different ways via emails, SMS, it's a great product. For someone concerned with multifactor authentication, I'm satisfied with the product.

There aren't any major additional features they could include in the next release but the one thing they used to include was the SMS gateway from the ISP. Fortinet used to sell that but they don't anymore and I think it would be helpful for end-users if they brought it back. I would recommend that. People are asking for it because they don't like having to rent it from their mobile provider. 

The product is very stable. I love it. 

I think it's a scalable product. I haven't compared it to the competitors but it's scalable. 

Part of the reason it's such a good product is that I don't recall ever needing to call for technical support. 

Initial setup and configuration are very straightforward. From a technical perspective, you need to know where to do the PDS but if you have a technical background it should be very straightforward. I just bring the VM or the trial license and I start to do the POC, usually with the VM.

Initial setup and deployment sometimes need integration with FortiGate, and sometimes via the captive portal. It takes a maximum of an hour, but it also depends on the end-user and what they need to be integrated into the system, like features such as SMS gateway parameters. 

I think the setup cost is reasonable, and we don't need to renew the license. Sometimes there are extra costs for the VM. Our main competitors are RSA and Gemalto, and the Fortinet prices are very competitive relative to their prices. 

As a distributor of Fortinet, I would suggest people give this product a little bit of focus. I mean we can do well on this product if we concentrate on it. People don't know about the two-factor authentication and that it's easy and straightforward. We also include some features for free but I suggest that people using Fortinet just focus on this product. FortiAuthenticator has created a straightforward easy-to-use product.  

I would rate it a nine out of ten. Not a ten because nothing is perfect. 

We primarily use the solution for FortiToken multi-factor authentication and as a VPN for login devices, among other cases.

The solution is easy to learn and makes it easy for our users to add FortiToken. It's very easy to integrate if you have other Fortinet devices. 

We have issues with HA (high availability). These should be addressed in future releases.

The solution is very stable. I'd say it's about 97% stable. We haven't experienced any crashes or anything of that nature.

We haven't really tested scalability that much. We have about 200 users and we don't plan to increase usage any time soon.

Technical support used to be much better. Fortinet seems to be downgrading, so everything takes longer to get a response in comparison to the past. When you make a ticket it may take as much as three days before it gets assigned.

The initial setup was very easy.

We handled the implementation ourselves.

The cost is okay. It's moderate to inexpensive.

We use the on-premises deployment model. We're both customers and partners with Fortinet.

I'd rate the solution eight out of ten.

We primarily use the solution to get users.

The solution's most valuable aspect is that it easy to install. The user experience is very good.

I've only been using the solution for one month, so I haven't come across any glaring issues so far.

The hardware aspect of the solution could be improved. We are not really able to understand the hardware capabilities of the device.

The solution is quite stable. They also send out upgrades quite often.

Technical support is okay. There are some people that are quite experienced while others are less so. However, they always give me an answer. If you don't have local support at the regional level you may have to rely on Google a bit. In my experience, however, it's been fine. They are very quick.

I've previously used WatchGuard. Fortinet is better for what is there, even though their prices are quite similar.

The pricing is okay. It could always be less expensive, however.

We use the on-premises deployment model.

I'd rate the solution eight out of ten. We have to compromise between price and functionality. If we had the money, we'd probably go with Palo Alto. However, it's much more expensive. 

The solution is really important to ensure double authentication for the user. For example, if you have an internal messenger and you want to ensure the access externally for users, you can implement the two-factor authentication. Also, for the VPN, you can implement two-factor authentication to avoid any kind of hacks.

If you want some other FortiAuthenticator from one site to another site, you should have requirements, but really if you have authentication and directory or another solution, you should change the password of the authenticator between the solution and the directory and other things. So the transfer of data and other information should be simpler.

In the future, I think h02.exe is very important to authenticate users internally. To economically move the person from vnom to vnom. Also, the ESO to ensure the authentication of users should be a bit more automated.

In my opinion and my experience, I didn't have any problem with the solution, just the requirements for other solutions that we should integrate with it. I think the solution is easily implemented, and, in my opinion, there is no problem with this solution. Just a bit of correction is needed, and that's it.

My impression is that the solution is good and I like it and I would work with it for another project and increase my skill on the solution.

I have worked with them, so I like the technical support of Fortinet. I would give them a good mark.

The initial setup is so easy and there is no problem in the implementation. We can implement it easily in a different kind of infrastructure.

I started working on FortiAuthenticator from last year. I have had a chance to deploy many, many projects on FortiAuthenticator. I deploy 10 next-gen projects on FortiAuthenticator. I deploy many defensive scenarios. Also, I have good experience with large products.

You should make sure to implement the requirements via experts like me, so you can implement the product carefully. In that way, you can use it clearly in a simplified manner.

For FortiAuthentication, it's a good price in comparison to any other competitor. Other products are so expensive, and the features are the same. There might be a bit of difference between the two products, but if you want just double authentication and some other features, I think I recommend the FortiAuthenticator, and it is low cost and has other defenses.

In my opinion, I recommend the solution. You can also use it for other things like h02.exe for authentication of users. Also for ESO. There are five things you can use it for, so I recommend the product. The low cost is very important for any customer.

I would rate this solution eight out of 10.

The feature I value the most is the one-time passwords because it helps to authenticate users so you know the timing of their usage.

I don't have any issues with this solution, but it may need a better, more user-friendly interface or better design of the platform.

I have found that the solution is very stable. I am officially conducting at FortiGate and I found that it was so easy to conduct my environment and control my environment with this solution. 

We have seven users licensed on this solution. With FortiAuthenticator it is so easy to manage our users and it is scalable to all the users at our university or in our environment.  

I am really impressed by the technical support because they were very helpful. Once we logged our complaint, we received an answer from them in no time, and they quickly fixed our issue. 

The initial setup is very easy.

I will recommend this solution to others who are considering to use it. I give it a ten out of ten rating.

The basic use we have for FortiAuthenticator is multi-pack authentication.

FortiAuthenticator has helped a lot of our customers in the way that they do the business when they onboard their clients to the data center. It has drastically changed what they used to do earlier after the installation.

It is cost-effective. The users can be securely managed by adopting it.

They need to have some kind of write-up and solution document that people can access very easily. All of the Cisco documentation is available on their website and in other places. They should make it available to the public. 

The more people know about this product, the better. That will make it easier for them to position FortiAuthenticator to their customers or use the product in production.

Other features that would improve the product are a single sign-on where people can use their Gmail ID to log-in, etc. This feature we wanted and now they are rethinking it. At this stage, I can't give any other suggestions for improvement other than this.

A single sign-on is used to create a user ID and password for the user to get onto the network. You can ask them to use their LinkedIn credentials or maybe Gmail, some of the social networking credentials to gain access.  

This is useful when you are onboarding any guest users for internet access. This is something that is a very good feature which they could have integrated already.

It's very stable when compared to other products.

For scalability, you need to size FortiAuthenticator properly. You should plan it initially, then make the implementation. 

It's is not 100%, maybe 80% on the scalable side. There are some places where we use it for 800 to 1000 users. With the proper deployment, we can support close to 2000 users.

You need certified people to understand this product like dedicated engineers. You need a person that knows the product and how it works. 

Otherwise, if any new person comes to FortiAuthenticator, it will be very difficult for them to understand. Over time, you'll be able to get to know the layout and how the product works.

Technical support is quite good, There is something called the 8x5 and 24x7 technical support for the solutions. If you have 24x7, they will respond immediately. 

If you have 8x5, and they will respond next business day depending on how soon the TAC engineer picks your request for your deployment or ongoing support issues.

We used a different method as a solution, primarily SafeNet, but there are others. It all depends on a customer-to-customer and case-to-case basis. It depends on the budget and what the customer asks for in the contract. 

At the end of the day, it all revolves around the money, i.e. how many dollars you pay for the solution.

The initial setup is straightforward. It's not that complex. If you know about the product, you will be able to do the setup. 

It takes generally, one to two weeks for the full-fledged deployment. We have a demo unit. We just used that for showcasing the capability of the device to all of our customers. 

Once they start using it, they would advise on the deployment.

There is an economic investment on this product that compares to other products from Cisco. There is a ROI on this product.

You buy the pack for 100 to 200 users. Once it goes over, you have to renew it on a yearly basis. It may be on a term where you license for one business. Officially, the authentication license has a third-party involved. Then you need to take your action. 

I don't see any additional license costs from FortiAuthenticator, but for the add-on features like MS Gateway, etc., you need to buy them.

FortiAuthenticator is a very good solution. It is all jury-based. FortiAuthenticator is very easy for anyone to understand how it works and be able to take action.

I would rate FortiAuthenticator with an eight to nine.

We implement FortiAuthenticator in situations where there are multiple Active Directory domains. Other use cases include:

• When we need to use FortiClient to keep track of users as they move around different locations where normal FSSO would have issues
• When we need to use one FortiToken for multiple Fortigates
• When we want to use it as a domain controller.

The FortiAuthenticator can do many things.

It keeps track of users and their IPs no matter where they are in the network. When users roam, we don't have to worry about not mapping them to an IP.

Valuable features include the robust SSO features, when you have more complicated authentication within an organization. We can mix AD, Radius, Portal, SSO Portals (Google, etc.), and build our own environment. It is very flexible.

The GUI is on the older side but I'm sure that it will be upgraded soon. It works, but it looks a little dated.

This solution is used for 2FA for Desktop and VPN access. Each computer, server and VPN access has to have a 2FA and the solution allowed us to accomplish this with a fob or phone app. We use the fob as phones are not owned by the company.

This was a regulation we needed to fill and it worked at a good price. It provided a solution that allowed us to fulfill the requirement.

• Easy integration with FortiGate to allow for 2FA with our VPN.
  
• Addition and removal of access as needed for the VPN.

For my use of this solution, not much needs to change. I do not mind the way it works currently. However, I would recommend a more fluid integration with FortiGate.

Standards-based secure authentication

FortiAuthenticator centralizes the management and storage of user identity information, thereby increasing the efficiency of administration and increasing the control over who accesses the network.

• Two-factor authentication using tokens

1- OATH-compatible time-based tokens (Hardware tokens FortiToken200/FortiToken220)
2- USB certificate-based tokens FortiToken-300)
3- FortiToken Mobile for Android, iOS, and Windows Mobile
4- SMS and email tokens

• Wired/Wireless authentication using the 802. 1X standard
• Certificate management
• Captive portal guest management
• Fortinet Single Sign-On

Central management of user Identities and access

FortiAuthenticator extends two-factor authentication to multiple FortiGate appliances and to third-party solutions that support RADIUS or LDAP authentication

FortiAuthenticator can create, sign, and revoke X.509 certificates.

FortiAuthenticator can sign user certificate signing requests (CSRs) and distribute certificate revocation lists (CRLs) and CA certificates.

FortiAuthenticator verifies the identity of the external LDAP server by using a trusted CA certificate

FortiAuthenticator has expanded the capabilities of captive portal from credential authentication to include social WiFi authentication and MAC address authentication.

Social WiFi authentication allows FortiAuthenticator to utilize third-party user identity methods to authenticate users into a wireless guest network. Supported authentication methods include:Google+, Facebook, LinkedIn, Twitter which include SMS- and email-based authentication

Fortinet Single Sign-on (FSSO) enables FortiAuthenticator to leverage the existing network authentication systems for firewall authentication. (Windows Active Directory (AD) or Novell eDirectory)

1- Integration with different vendor firewalls (I tested only with Cisco using Cisco ASDM 6.3 (5) but i am not sure if it works with other vendor solutions)

2- A lot of configurations are available only from CLI

3- Documentation/videos for different implementation scenarios

1 year

It is very stable.

VM platfroms are scalable based on the business needs.

10/10

9/10

We used FortiGate to manage tokens and user identities but FortiAuthenticater includes more features.

All Fortinet solutions are easy to implement.

Integrated RADIUS server with 802.1x functionality and access control. Single Sign On and AD integration. It integrates very tightly with the rest of the Fortinet ecosystem.

It integrated with the existing Cisco wireless infrastructure to solidify the way people authenticate onto the network. It permitted having a centralized area to authenticate all users and enabled SSOimplementation.

A better integration with other vendors. The device is rich in features but there are a lot of functionalities I have still not experienced with.

Two and a half years.

Overall not really, a few hiccups with the syncing with AD but nothing major.

Not in my experience. The device can scale on a VM with an additional license. And there are boxes that can support thousands of users (which I have still not met).

Very good. In our area we get support both in French and English and the response times are usually pretty decent.

We are a Fortinet reseller and integrator so there were no "switches" per say.

The setup process can be tedious.

I would start off with a VM including the base license and scale according to the number of users you need to authenticate.

ClearPass by Aruba and ISE by Cisco are the two main competitors in this space. To me ClearPass seams to be the most feature-rich solution for the price and vendor neutral as is FortiAuthenticator.

I strongly recommend someone accompany you in the initial deployment of the product to view all the functionalities that the platform is capable of doing.

• User management with many credential sources: LDAPs, RADIUS, Social login, SAML, tokens, and local
• Captive portal server: Used to configure several portals for each service
• User friendly GUI with many features
• Very powerful

We are now enjoying social login in public Wi-Fi environments with very easy deployment and a maximum level of security.

I would like to see support for more credential authentication protocols.

I have used the product for six months.

I did not encounter any stability issues.

I did not encounter any scalability issues.

I would give technical support a rating of 10/10.

We used FreeRADIUS. It had limited authentication protocols (only RADIUS), no GUI, and very complicated management.

We enjoyed an easy deployment. There are many documents with guides and best practices.

This solution comes with a low price for the features, power, and ease of licensing.

We looked at FreeRADIUS and Ciso ISE.

This is a perfect solution for authentication services.

The valuable features are the granularity of the security settings and the relative ease of adding users. It also makes it really nice and easy to remove access from users that have left us or who are doing things they shouldn’t be doing.

It made things much easier for dealing with users BYOD for our secured wireless networks. We also use this in conjunction with an MDM solution. It makes a nice package that is easy for our end-users and is very secure.

The interface is a bit misleading in areas. Finding some settings can be a bit confusing and difficult. I would also like to see a few more real world examples given in the setup section.

We have used this solution for one and a half years.

We did not have any stability issues. This runs on our VMware environment and we have never had an issue with stability.

As this is a virtual device, we had no scalability issues. If we need more users, we just add more licenses. This makes it nice as there is no physical appliance to outgrow.

Configuration of the virtual device was very straightforward.

The configuration of the settings in the authenticator was a bit more confusing. We did have to contact support a few times to work through some configuration issues. They also helped us set up some configurations for the active directory and our local certificate servers.

The price was very reasonable given what it can do.  Licensing was also very reasonable.

Just make sure you do an accurate count of what you will need for licenses. If you run out of licenses, no additional users will be able to authenticate through this device.

Planning is the key to a successful implementation. Know what you want to accomplish out of the gate before you get started. Make sure you test before rolling out to end users. Due to really tight timelines, we missed a couple of key settings and configurations.

One of the most valuable features is the simple FSSO (Fortinet Single Sign-On) configuration that helps to manage user-based security rules.

It is a cool security product. It's easy to use, implement and maintain, but there is room for improvement.

When we came across access management, we required several technical features to help manage user access to critical systems and remote access. That’s why we always go for a SSO two-factor authentication server. FortiAuthenticator is a bundle of these features. It has its own hardware and software token for two-factor authentication. It supports single sign-on and seamless integration with user-based web filtering, without any prior authentication. It can act as a Radius server to support other systems for Radius authentication. One of the common practices is using FortiAuthenticator with Dot1.X network access control.

The GUI is not fancy enough and some of the settings are difficult to access.

Part of the configuration has to be done by CLI, which is not friendly for security administrators.

Integration with other firewalls may not be as good as expected.

I have used it for two years, mostly implementation for clients.

No stability issues so far, as long as the number of users is not too large.

No issues for scalability: It is easy to add new resources as we deploy virtual machines.

FortiCare can provide prompt replies. They have basic knowledge on every single product in the Fortinet family. They have a standard protocol to response to support cases which is great. They are willing to accept RMA for technical difficulties that cannot be solved in a short period of time.

I have tried Cisco ISE as a NAC solution. Cisco ISE is the "Terminator" of NAC solutions, which has numerous features to prevent unauthorized access. However, its integration with FortiGate firewall is not great. When I use the SSLVPN service from FortiGate, it fails to authenticate with two-factor authentication. For this, using FortiAnthenticator would be a good choice for its genuine integration.

It is quite straightforward to set up the FortiAuthenticator. We mainly deploy as a virtual machine. An OVF file is provided by Fortinet and you just simply compile the file in the VMware environment. Upon simple configuration, such as IP address and default gateway, you can access the web GUI and do any configuration, as you like.

Licensing is straightforward, as Fortinet provides stackable licenses for FortiAuthenicator. Count the number of users and select sufficient licenses. Pricing is acceptable; much cheaper than Cisco ISE.

I have tried Cisco ISE. For state-of-the-art features, I would recommend Cisco ISE because of its brilliant features. But I would recommend FortiAuthenticator, if you are currently using FortiGate firewall and you seek a well-suited, complimentary NAC solution.

The need for a NAC solution depends on your infrastructure. If you are a Fortinet user, FortiAuthenticator would be a nice choice to enhance security on VPN and web access. However, there are many other choices, such as ForeScout, which is vendor-neutral, to support different systems from different vendors.

The valuable features are:

• Two-factor authentication
• User ID with our LDAP service
• Integration with our other FortiGates

By using one of our units as a load-balancing slave, we were able to roll out location-based VPNs that created quicker connections to local servers for our end users. Furthermore, incorporating a LBS unit has provided preventative measures and ensured that our remote users can still connect if a failure occurs on our master authentication unit.

It was initially difficult to sync our high availability, load-balancing slave (LBS) to our master unit. There were some initial issues connecting it and syncing with our master FortiAuthenticator unit. After reaching out to Fortinet support, it turned out that the unit needed a software update.

I would like to see the following:

• Creating an easier implementation of software patches.
• Designing the admin profiles to sync across, instead of having to recreate them. (I see how this could be problematic with security measures.)

We've been using our master unit for about a year and our LBS for about six months.

We had some stability issues. Our first LBS unit wouldn't work properly the first time and that wasted a lot of time. Eventually, it died and we had to RMA the unit.

We didn't have any issues with scalability.

The technical support we received from Fortinet was responsive. When we experienced problems, they were able to fix our issues.

Before implementing our FortiAuthenticators, we used our main FortiGate as a way to push out two-factor codes to our users. After a while, this option was not working. As we continued to grow, we needed something more substantial and manageable.

The initial setup was somewhat difficult in syncing our LDAP service to our main FortiGate.

Before using the FortiAuthenticator, we pushed out tokens via our main FortiGate.

If you want a more efficient way to manage two-factor authentication for your users, or implement the unit as a cluster member role, the FortiAuthenticator can be incorporated very well into your environment.