Fortinet Community

As a best practice, it is advised to enable only the services used.

Here are the services possible to enable when FortiAuthenticator is configured to act as a server:

• Self-service Portal (/login):
  It allows a self-service portal to be shown on this interface.

• Guest Portals (/guests):
  It allows guest portals to be shown on this interface.

• SAML IdP (/saml-idp):
  Enable when FortiAuthenticator is configured as an Identity Provider for SAML authentication (SAML IdP).

• SAML SP SSO (/saml-sp, /login/saml-auth):
  Enable when FortiAuthenticator acts as a Service Provider (SP) to request user identity information from a third-party Identity Provider (IDP).

• Kerberos SSO (/login/kerb-auth):
  Enable when the Kerberos user portal is configured for login.
  Kerberos authentication allows the FortiAuthenticator to identify connecting users through a Kerberos exchange after a redirect from a FortiGate device.

• SCEP (/cert/scep):
  It is used when expecting certificate enrollment requests on this interface from SCEP clients.
  FortiAuthenticator contains a Simple Certificate Enrollment Protocol (SCEP) server that can sign user CSRs and distribute CRLs and CA certificates.

• CRL Downloads (/cert/crl):
  Allows the download of Certificate Revocation Lists.

• FortiToken Mobile API (/api/v1/pushauthresp, /api/v1/transfertoken):
  This API 'pushauthresp' is for use by FTM2 to send back the OTP for login verification.
  This API 'transfertoken' is for use when migrating tokens.

• OAuth Service (/api/v1/oauth, /api/v1/pushpoll, /guests, /portal):
  Enable OAuth service access. FortiAuthenticator can act as an authorization server to issue and manage OAuth access tokens via a set of REST API endpoints.

Used when Fortinet Single Sign-On (FSSO):

• SAML IdP SSO (TCP/8143).
• FortiGate FSSO (TCP/8000).          
• FortiClient FSSO (TCP/8001).          
• Hierarchical FSSO (TCP/8003).     
• DC/TS Agent FSSO (TCP/8002).   

Known protocols and their ports:

• RADIUS Accounting Monitor (UDP/1646): used for earlier Radius accounting deployments, on new deployments is port 1813.
• RADIUS Auth (UDP/1812): Enable if RADIUS authentication is offering services.RADIUS encrypts only the users' password as it travels from the RADIUS client to the RADIUS server.
• RADIUS Accounting SSO (UDP/1813): FortiAuthenticator receives RADIUS accounting packets from a carrier RADIUS server or network device, such as a wireless controller, collects additional group information, and then inserts it into FSSO to be used by multiple FortiGate or FortiCache for identity-based policies.
• RADSEC (TCP/2083): Radius Secure is a protocol for transporting RADIUS datagrams over TCP and TLS. Enable if to configure secure communication of RADIUS packets over TLS. 
• TACACS+ Auth (TCP/49): Used when a TACACS+ authentication is configured.TACACS+ encrypts all the information and therefore does not have the vulnerabilities present in the RADIUS protocol. 
• LDAP (TCP/389): When a remote LDAP server for authentication has been configured.
• LDAPS (TCP/636): Secure LDAP configured
• OCSP (TCP/2560): Online Certificate Status Protocol (OCSP), it is configured to check the certificate status.
• Syslog (UDP/514)  
• Syslog over TLS (TCP/6514)   

Note that Syslog and Syslog over TLS options are only available if Syslog SSO has been enabled.

The FortiAuthenticator can parse username and IP address information from a syslog feed from a third-party device and inject this information into FSSO so it can be used in FortiGate identity-based policies.

Keep in mind:

• A disabled service will not answer queries as it is not active.
• Enabling the service but leaving it unconfigured will make the service respond to queries, even with incorrect responses.
• This will use resources and may cause a potential attack.