FortiAuthenticator provides access management and single sign on.
Article Id 267850
Description This article describes all the services that are possible to enable on the FortiAuthenticator interface and why they are configured.
Scope FortiAuthenticator.

As a best practice, it is advised to enable only the services used.

Here are the services possible to enable when FortiAuthenticator is configured to act as a server:




  • Self-service Portal (/login):
    It allows a self-service portal to be shown on this interface.


  • Guest Portals (/guests):
    It allows guest portals to be shown on this interface.


  • SAML IdP (/saml-idp):
    Enable when FortiAuthenticator is configured as an Identity Provider for SAML authentication (SAML IdP).


  • SAML SP SSO (/saml-sp, /login/saml-auth):
    Enable when FortiAuthenticator acts as a Service Provider (SP) to request user identity information from a third-party Identity Provider (IDP).


  • Kerberos SSO (/login/kerb-auth):
    Enable when the Kerberos user portal is configured for login.
    Kerberos authentication allows the FortiAuthenticator to identify connecting users through a Kerberos exchange after a redirect from a FortiGate device.


  • SCEP (/cert/scep):
    It is used when expecting certificate enrollment requests on this interface from SCEP clients.

    FortiAuthenticator contains a Simple Certificate Enrollment Protocol (SCEP) server that can sign user CSRs and distribute CRLs and CA certificates.


  • CRL Downloads (/cert/crl):
    Allows the download of Certificate Revocation Lists.


  • FortiToken Mobile API (/api/v1/pushauthresp, /api/v1/transfertoken):
    This API 'pushauthresp' is for use by FTM2 to send back the OTP for login verification.
    This API 'transfertoken' is for use when migrating tokens.


  • OAuth Service (/api/v1/oauth, /api/v1/pushpoll, /guests, /portal):
    Enable OAuth service access. FortiAuthenticator can act as an authorization server to issue and manage OAuth access tokens via a set of REST API endpoints.


Used when Fortinet Single Sign-On (FSSO):

  • SAML IdP SSO (TCP/8143).
  • FortiGate FSSO (TCP/8000).          
  • FortiClient FSSO (TCP/8001).          
  • Hierarchical FSSO (TCP/8003).     
  • DC/TS Agent FSSO (TCP/8002).   


Known protocols and their ports:

  • RADIUS Accounting Monitor (UDP/1646): used for earlier Radius accounting deployments, on new deployments is port 1813.
  • RADIUS Auth (UDP/1812): Enable if RADIUS authentication is offering services.RADIUS encrypts only the users' password as it travels from the RADIUS client to the RADIUS server.
  • RADIUS Accounting SSO (UDP/1813): FortiAuthenticator receives RADIUS accounting packets from a carrier RADIUS server or network device, such as a wireless controller, collects additional group information, and then inserts it into FSSO to be used by multiple FortiGate or FortiCache for identity-based policies.
  • RADSEC (TCP/2083): Radius Secure is a protocol for transporting RADIUS datagrams over TCP and TLS. Enable if to configure secure communication of RADIUS packets over TLS. 
  • TACACS+ Auth (TCP/49): Used when a TACACS+ authentication is configured.TACACS+ encrypts all the information and therefore does not have the vulnerabilities present in the RADIUS protocol. 
  • LDAP (TCP/389): When a remote LDAP server for authentication has been configured.
  • LDAPS (TCP/636): Secure LDAP configured
  • OCSP (TCP/2560): Online Certificate Status Protocol (OCSP), it is configured to check the certificate status.
  • Syslog (UDP/514)  
  • Syslog over TLS (TCP/6514)   

Note that Syslog and Syslog over TLS options are only available if Syslog SSO has been enabled.

The FortiAuthenticator can parse username and IP address information from a syslog feed from a third-party device and inject this information into FSSO so it can be used in FortiGate identity-based policies.


Keep in mind:

  • A disabled service will not answer queries as it is not active.
  • Enabling the service but leaving it unconfigured will make the service respond to queries, even with incorrect responses.
  • This will use resources and may cause a potential attack.