Fortinet black logo

Administration Guide

User management

User management

The FortiAuthenticator user database has the benefit of being able to associate extensive information with each user, as you would expect of RADIUS and LDAP servers. This information includes whether the user is an administrator, uses RADIUS authentication, or uses two-factor authentication, and includes personal information such as full name, address, password recovery options, and the groups that the user belongs to.

The RADIUS server on FortiAuthenticator is configured using default settings. For a user to authenticate using RADIUS, the option Allow RADIUS Authentication must be selected for that user’s entry, and the FortiGate unit must be added to the authentication client list. See RADIUS service.

Administrators

Administrator accounts on FortiAuthenticator are standard user accounts that are flagged as administrators. Both local users and remote LDAP users can be administrators.

Once flagged as an administrator, a user account’s administrator privileges can be set to either full access or customized to select their administrator rights for different parts of FortiAuthenticator.

The subnets from which administrators are able to log in can be restricted by entering the IP addresses and netmasks of trusted management subnets.

There are log events for administrator configuration activities. Administrators can also be configured to authenticate to the local system using two-factor authentication.

An account marked as an administrator can be used for RADIUS authentication if Allow RADIUS Authentication is selected. See RADIUS service. These administrator accounts only support Password Authentication Protocol (PAP).

See Configuring a user as an administrator for more information.

Groups for administrators

Local and remote user accounts with administrator or sponsor roles can be entered into groups. This provides the following benefits:

  • Group filtering of administrators.
  • A single account for individuals needing both administrator and user roles.
  • Inclusion of RADIUS attributes from groups in RADIUS Access-Accept responses.

Local users

Local user accounts can be created, imported, exported, edited, and deleted as needed. Expired local user accounts can be purged manually or automatically (see General).

To manage local user accounts, go to Authentication > User Management > Local Users.

The local user account list shows the following information:

Create New Select to create a new user.
Import

Select to import local user accounts from a CSV file or FortiGate configuration file.

If using a CSV file, it must have one record per line, with the following format: user name (30 characters max), first name (30 characters max), last name (30 characters max), email address (75 characters max), mobile number (25 characters max), password (optional, 128 characters max).

If the optional password is left out of the import file, the user is emailed temporary login credentials and requested to configure a new password.

Note that, even if an optional field is empty, it still must be defined with a comma.

Export Users Select to export the user account list to a CSV file.
Edit Select to edit the selected user account.
Delete Select to delete the selected user account or accounts.
Disabled Users Purge Disabled: This offers the option to choose which type of disabled users to purge. All users matching the type(s) selection are deleted.

Re-enable: This allows the administrator to re-enable disabled accounts. Expired users accounts can only be re-enabled individually.
Search Enter a search term in the search field, then select Search to search the user account list.
User The user accounts’ usernames.
First name The user accounts’ first names, if included.
Last name The user accounts’ last names, if included.
Email address The user accounts’ email addresses, if included.
Admin If the user account is set as an administrator, a green circle with a check mark is shown.
Status If the user account is enabled, a green circle with a check mark is shown.
Token The token that is assigned to that user account. Select the token name to edit the FortiToken, see FortiToken device maintenance.
Token requested The status of the user's token request.
Groups The group or groups to which the user account belongs.
Authentication Methods The authentication method used for the user account.
Expiration The date and time that the user account expires, if an expiration date and time have been set for the account.

Adding a user

When creating a user account, there are three ways to handle the password:

  1. The administrator assigns a password immediately and communicates it to the user.
  2. FortiAuthenticator creates a random password and automatically emails it to the new user.
  3. No password is assigned because only token-based authentication will be used.
To add a new user:
  1. In the local users list, select Create New. The Create New Local User window opens.
  2. Enter the following information:
    Username Enter a username for the user.
    Password creation

    Select one of the options from the dropdown menu:

    • Specify a password: Manually enter a password in the Password field, then reenter the password in the Password confirmation field.
    • Set and email a random password: Enter an email address to which to send the password in the Email address field, then reenter the email address in the Confirm email address field.
    • No password, FortiToken authentication only: After you select OK, you will need to associate a FortiToken device with this user. See FortiAuthenticator and FortiTokens.
    Allow RADIUS authentication For a user to authenticate using RADIUS, this must be enabled.
    Force password change on next logon Enable or disable the option for users to change their local password on FortiAuthenticator at first logon. This feature prevents administrators from having to call or email the franchisee to deliver user credentials, which is not a secure method of delivery and adds additional time to the onboarding process.
    Role Select whether the new account is for an Administrator, Sponsor, or regular User. Administrators can either have full permissions or have specific administrator profiles applied. Regular users can have their account expiration settings configured.
    Enable account expiration Select to enable user account expiration, either after a specific amount of time has elapsed, or on a specific date.
    Expire after

    Select when the account will expire:

    • Set length of time: Enter the number of hours, days, months, or years until the account expires.
    • Set an expire date: Enter the date on which the account will expire, either by manually typing it in, or by selecting the calendar icon and selecting a date.
  3. Select OK to create the new user. You are redirected to the Change local user window to continue the user configuration in greater detail.
  4. If the password creation method was set to No password, FortiToken authentication only, you are required to associate a FortiToken with the user before the user can be enabled.

Editing a user

User accounts can be edited at any time. To edit a user, go to the user account list, select a user to editi, and select Edit from the toolbar. Conversely, select the username in the user list.

The following information can be viewed or configured:

Username The username cannot be changed.
Disabled Select to disable the user account.
Password-based authentication

Select to enable password-based authentication.

The user's password can be changed by selecting Change Password.

Token-based authentication Select to enable FortiToken-based authentication. See Configuring token-based authentication.
Allow RADIUS authentication Select to allow RADIUS authentication. This applies only to regular users.
Enable account expiration Select to enable account expiration and specify the account's expiration. See Enable account expiration.
User Role Configure the user’s role.
Role

Select Administrator, Sponsor, or User.

If setting a user as an administrator, see Configuring a user as an administrator.

Allow LDAP browsing Select to allow LDAP browsing. This applies only to regular users.
Full permission Enable to grant this administrator full permission, or enter an Admin profile in the field provided. This applies only to administrators.
Web service access Enable to allow this administrator to access the web services either through a REST API or using a client application. This applies only to administrators.
Restrict admin login from trusted management subnets only Enable and enter trusted IP addresses and netmasks for restricted administrator login access. This applies only to administrators.
User Information Enter user information, such as their address and phone number. See Adding user information.
Alternative email addresses Add alternate email addresses for the user.
Password Recovery Options Configure password recovery options for the user. See Configuring password recovery options
Groups Assign the user to one or more groups. See User groups.
Usage Information View the user's usage information, including bytes in/out, time used, and the option to reset the usage statistics.
Email Routing Enter a mail host and routing address into their respective fields to configure email routing for the user.
RADIUS Attributes Add RADIUS attributes. See RADIUS attributes.
Certificate Bindings Add, edit, or removed certificate bindings for the user account. See Configuring certificate bindings.
Select the certificate name to view the certificate, or select the Revoke Certificate button to revoke the certificate.
Devices Add devices, based on MAC address, for the user account.

Select OK when you have finished editing the user’s information and settings.

Configuring token-based authentication

Token-based authentication requires either a FortiToken device or a mobile device with the FortiToken Mobile app installed, or a device with either email or SMS capability.

FortiToken and FortiToken Mobile tokens must first be registered under Authentication > User Management > FortiTokens. For more information, see FortiTokens.

To configure an account for token-based authentication:
  1. To view the token-based authentication options, edit a user and select Token-based authentication.
  2. Select one of the following token delivery methods:
    • FortiToken, then select the FortiToken device serial number from the FortiToken Hardware or FortiToken Mobile dropdown menus, as appropriate.
    • The device must be known to FortiAuthenticator. See FortiToken physical device and FortiToken Mobile.

      Optionally, select Configure a temporary e-mail/SMS token to receive a temporary token code via email or SMS.

    • Email, then enter the user’s email address in the User Information section.
    • SMS, then enter the user’s mobile number in the User Information section.
    • Dual (Email & SMS), then enter the user's email address and mobile number in the User Information section.
  3. Select Test Token to validate the token passcode. The Test Email Token or Test SMS Token window opens (depending on your selection).
    • For email and SMS tokens, confirm that the contact information is correct, select Next, then enter the token code received via email or SMS.
    • Select Back to return to edit the contact information, select Verify to verify the token passcode, or select Resend Code if a new code is required.
    • For FortiToken, enter the token code in the Token code field, then select Verify to verify the token passcode.
  4. Select OK.
    By default, token code verification must be completed within 60 seconds after the token code is sent by email or SMS. To change this timeout, go to Authentication > User Account Polices > Tokens and modify the Email/SMS Token timeout field. For more information, see Lockouts.

Configuring a user as an administrator

For more information, see Administrators.

To set a user as an administrator:
  1. Edit a user and set Role to Administrator under the User Role section.
  2. Enable Full permission to give the administrator full administrative privileges, or enter Admin profiles to customize the administrator’s permissions.
  3. Optionally, enable Web service access to allow the administrator to access the web services via a REST API or FortiAuthenticator Agent for Microsoft Windows.
  4. Select Restrict admin login from trusted management subnets only, then enter the IP addresses and netmasks of trusted management subnets in the table, to restrict the subnets from which an administrator can log in.
  5. Select OK to apply the changes to the administrator account.

Adding user information

Some user information can be required depending on how the user is configured. For example, if the user is using token-based authentication by SMS, a mobile number and SMS gateway must be configured before the user can be enabled.

The following user information can be entered:

First name Last name
Email address Phone number
Mobile number SMS gateway: select from the dropdown menu. Select Test SMS to send a test message.
Street address
City State/Province
Country: Select from the dropdown menu.
Language: Select a specific language from the dropdown menu, or use the default language.
Organization: Select an organization from the dropdown menu. See Organizations.

Configuring password recovery options

To replace a lost or forgotten password, FortiAuthenticator can send the user a password recovery link by email or in a browser in response to a pre-arranged security question. The user must then set a new password.

To configure password recovery by email:
  1. Edit a user and ensure that the user has an email address entered. See Adding user information.
  2. Under Password Recovery Options section, enable Email recovery.
    In the event that additional email addresses have been configured under Alternative Email Addresses, an email is sent to all configured email addresses.
  3. Select OK to apply the changes.
To configure password recovery by security question:
  1. Edit a user and, under Password Recovery Options, enable Security question, and select Edit.
  2. Choose one of the questions from the dropdown menu, or select Write my own question and enter a question in the Custom question field.
  3. Enter the answer for the question in the Answer field.
  4. Select OK to create the security question.
  5. Select OK again to apply the changes to the user account.
How the user can configure password recovery by security question:
  1. Log in to the user account.
  2. Select Edit Profile at the top left of the page.
  3. Under Password Recovery Options, select Security Question, and select Edit.
  4. Choose one of the questions in the list, or select Write my own question and enter a question in the Custom question field.
  5. Enter the answer for your question.
  6. Select OK.
How the user can configure password recovery by email:
  1. Log in to the user account.
  2. Select Edit Profile at the top left of the page.
  3. Under Password Recovery Options, select Email recovery.
  4. Optionally, select Alternative email addresses and enter additional email addresses for this user.
  5. Select OK.
How the user recovers from a lost password:
  1. Browse to the IP address of the FortiAuthenticator.
  2. Security policies must be in place on the FortiGate unit to establish these sessions.

  3. At the login screen, select Forgot my password.
  4. Select to recover your password either by Username or Email.
  5. Enter either your username or email address as selected in the previous step, and select Next.
  6. This information is used to select the user account. If your information does not match a user account, password recovery cannot be completed.

  7. Do one of the following:
    • If an email address was entered, check your email, open the email and select the password recovery link.
    • If a username was entered, answer the security question and select Next.
  8. On the Reset Password page, enter and confirm a new password and select Next.
  9. The user can now authenticate using the new password.

Active Directory users password reset

To allow Active Directory (AD) users to reset their password from the main login page, follow the same workflow for resetting a local user's password described above.

The Password Recovery Options setting is included in the remote LDAP users configuration page.

This feature is available for both self-service and guest portals.

Configuring certificate bindings

To use a local certificate as part of authenticating a user, you need to:

  • Create a user certificate for the user (see To create a new certificate: for more information).
  • Create a binding to that certificate in the user’s account.
To create a binding to a certificate in a user’s account:
  1. Edit a user and expand the Certificate Bindings section.
  2. Select Add Binding.
  3. Select either Local CA or Trusted CA from the CA certificate dropdown menu, and select the applicable CA certificate.
  4. Enter the Common Name on the certificate. For example, if the certificate says CN=rgreen then enter rgreen.
  5. Select OK to add the new binding.

Remote users

Remote LDAP users must be imported into the FortiAuthenticator user database from LDAP servers. For more information, see LDAP.

Note that you will only be able to import a maximum of five remote users if you have an unlicensed version of FortiAuthenticator-VM.

A FortiToken device already allocated to a local account cannot be allocated to an LDAP user as well; it must be a different FortiToken device.

Remote RADIUS users can be created, migrated to LDAP users, edited, and deleted.

LDAP users

To import remote LDAP users:

  1. Go to Authentication > User Management > Remote Users, ensure that LDAP users is selected, and select Import.
  2. Select a server from the Remote LDAP server dropdown menu, then select Import users or Import users by group membership, and select Go.
    An LDAP server must already be configured to select it in the dropdown menu. For information on adding a remote LDAP server, see Remote authentication servers.
  3. The Import Remote LDAP Users or Import Remote LDAP Users by Group Memberships window opens in a new browser window.

  4. Optionally, enter a Filter string to reduce the number of entries returned, and then select Apply, or select Clear to clear the filters.
    note icon Please note that the Member attribute field is only available if you select to Import users by group membership. Use this field to specify the filter by which users will be shown. In the example, the default attribute (member) will only show users that are members of groups (users must be part of member attribute of the groups).
  5. The default configuration imports the attributes commonly associated with Microsoft Active Directory LDAP implementations. Select Configure user attributes to edit the remote LDAP user mapping attributes.
  6. Selecting the field FirstName, for example, presents a list of detected attributes that can be selected. This list is not exhaustive as additional, non-displayed attributes may be available for import. Consult your LDAP administrator for a full list of available attributes.

  7. Select the entries you want to import.
  8. Optionally, select an organization from the Organization dropdown menu to associate the imported users with a specific organization. See Organizations for more information.
  9. Select OK.
  10. The amount of time required to import the remote users will vary depending on the number of users to import.

To add two-factor authentication to a remote LDAP user:
  1. Edit the remote user, select Token-based authentication, and follow the same steps as when editing a local user (Editing a user).
  2. Configure the User Role, User Information, RADIUS Attributes, and Certificate Bindings for the user as needed.
  3. Select OK to apply the changes.

RADIUS users

To view remote RADIUS users, go to Authentication > User Management > Remote Users and select RADIUS users in the toolbar. See RADIUS for more information about remote RADIUS servers.

The following options are available (when remote RADIUS users are available to edit):

Create New Select to create a new remote RADIUS user.
Delete Select to delete the selected user or users.
Edit Select to edit the selected user.
Re-enable Select to re-enable the status of a user that has been disabled.
Migrate Select to migrate the selected user or users. See To migrate RADIUS users to LDAP users:.
Token Select to either Enforce or Bypass token-based authentication for the selected user(s).
Search Search the remote RADIUS user list.
Username The remote user’s name.
Remote RADIUS server The remote RADIUS server or which the user resides.
Admin Displays whether or not the user is configured as an administrator.
Status Displays whether or not the user is enabled or disabled.
Token The FortiToken used by the user, if applicable.
Token Requested Displays whether or not a FortiToken has been requested for the user.
Enforce token-based authentication Displays whether or not token-based authentication is enforced.
To create a new remote RADIUS user:
  1. From the remote user list, select RADIUS users and select Create New.
  2. Enter the following information:
    Remote RADIUS Select the remote RADIUS server on which the user will be created from. For more information on remote RADIUS servers, see RADIUS.
    Username Enter a username.
    Enforce token-based authentication if configured below Select to enforce token-based authentication, if you are configuring token-based authentication.
    Token-based authentication Select to configure token-based authentication.
    Deliver token code by

    Select the method by which token codes are delivered:

    • FortiToken: Select the FortiToken device serial number from the FortiToken Hardware or FortiToken Mobile dropdown menus.
    • Email: Enter the user’s email address in the User Information section.
    • SMS: Enter the user’s mobile number in the User Information section.
    • Dual (Email & SMS): Enter the user’s email address and mobile number in the User Information section.

    For FortiToken, the device must be known to FortiAuthenticator. See FortiToken physical device and FortiToken Mobile.

    In addition, you can optionally select Configure a temporary e-mail/SMS token to receive a temporary token code via email or SMS.

    Allow RADIUS authentication Enable or disable RADIUS authentication.
    User Role Select whether the remote user is either an Administrator (along with related permissions) or a regular User.
    User Information

    Enter user information as needed. The following options are available:

    • Email address
    • Mobile number and SMS gateway
    • Language
    • Organization - see Organizations.
  3. Select OK to create the new remote RADIUS user.
To migrate RADIUS users to LDAP users:
  1. From the remote RADIUS users list (see Learned RADIUS users), select the user or users you need to migrate, then select Migrate from the toolbar.
  2. Select an LDAP server from the dropdown menu and select Next.
  3. Enter the distinguished names for the users to migrate, or browse the LDAP tree (see Directory tree overview) to find the users.
  4. Select Migrate to migrate the user or users.

SAML users

To view remote SAML users, go to Authentication > User Management > Remote Users and select SAML users.

To create a new remote SAML user:
  1. From the remote user list, select SAML users and select Create New.
  2. The Create New Remote SAML User window appears.

  3. Enter the following information:
    Remote SAML Select the remote SAML server on which the user will be created from. For more information on remote SAML servers, see SAML.
    Username Enter a username.
    Disabled Enable or disable the user account.
    Token-based authentication Select to configure token-based authentication.
    Deliver token code by

    Select the method by which token codes are delivered:

    • FortiToken: Select the FortiToken device serial number from the FortiToken Hardware or FortiToken Mobile dropdown menus.
    • Email: Enter the user’s email address in the User Information section.
    • SMS: Enter the user’s mobile number in the User Information section.
    • Dual (Email & SMS): Enter the user’s email address and mobile number in the User Information section.

    For FortiToken, the device must be known to FortiAuthenticator. See FortiToken physical device and FortiToken Mobile.

    In addition, you can optionally select Configure a temporary e-mail/SMS token to receive a temporary token code via email or SMS.

    User Information

    Enter user information as needed. The following options are available:

    • First name
    • Last name
    • Email address
    • Mobile number and SMS gateway
    • Language
    • Organization - see Organizations.
  4. Select OK to create the new remote SAML user.
To import remote SAML users:
  1. From the remote user list, select SAML users, and select Import.
  2. The Import remote SAML Users window opens.

  3. Select the following:
    Remote SAML server Select the remote SAML server on which the users will be imported from. For more information on remote SAML servers, see SAML.
    Group Select the SAML server group to import users from.
  4. Select OK to import the remote SAML users.

Remote user sync rules

Synchronization rules can be created to control how and when remote LDAP and SAML users are synchronized. To view a list of the remote user synchronization rules, go to Authentication > User Management > Remote User Sync Rules.

To create a new remote LDAP user synchronization rule:
  1. From the Remote User Sync Rules page, select LDAP users, and select Create New.
  2. Configure the following settings:
    Name Enter a name for the synchronization rule.
    Remote LDAP Select a remote LDAP server from the dropdown menu. To configure a remote LDAP server, see LDAP.
    Base distinguished name Base DN of the remote LDAP server that automatically populates when a remote LDAP server is selected above.
    LDAP filter Optionally, enter an LDAP filter. Select Test Filter to test that the filter functions as expected.
    Token-based authentication sync priorities Select the required authentication synchronization priorities.
    Drag the priorities up and down in the list change the priority order.

    Sync every

    Select the amount of time between synchronizations.

    Sync as Select to synchronize as a remote user or as a local user. Selecting either option opens a dialog box displaying the user fields that are synchronized for that selection.

    User Role

    Select the user role to assign to remote users. Users assigned the role of Administrator are granted full permissions.

    Group to associate users with Optionally, select a group from the dropdown menu with which to associate the users with, or select Create New to create a new user group. See User groups.
    Organization Optionally, select an organization from the dropdown menu with which to associate the users with, or select Create New to create a new organization. See Organizations.
    Certificate binding CA

    Certificate binding CA for users who use remote user sync rules.

    When the Certificate binding common name field is populated (under LDAP User Mapping Attributes) this field must also be specified.

    Do not delete synced users when they are no longer found on the remote server

    Select to ensure that synchronized users are not deleted when they are no longer found on the remote server. This option is only available when Proceed with rule even when response empty is disabled.

    Proceed with rule even when response empty

    Select to enforce the synchronization rule even when the LDAP response is empty. Use this option to delete all users from a FortiAuthenticator group when synchronization rule returns an empty response. This option is only available when Do not delete synced users when they are no longer found on the remote server is disabled.

    Warning: This option should be used with caution. An error from the administrator (e.g. a typo when changing the LDAP query) could cause the deletion of all existing synchronized users, requiring the administrator to reprovision any assigned FortiTokens.

    LDAP User Mapping Attributes Optionally, edit the remote LDAP user mapping attributes.

    Debugging Settings

    Optionally, log synchronization details, including LDAP query results. These log files can be downloaded under Debug Report > LDAP Sync. In addition, select whether to delete synchronized users when they are no longer found on the remote server.

    Preview Mapping Select to preview the LDAP user sync mappings in a new window.
    Show Sync Fields Select to view the user fields that will be synchronized.
  3. Select OK to create the new LDAP synchronization rule.
To create a new remote SAML user synchronization rule:
  1. From the Remote User Sync Rules page, select SAML users, select Create New.
  2. Configure the following settings:
    Name Enter a name for the synchronization rule.
    Remote SAML server Select a remote SAML server from the dropdown menu. To configure a remote SAML server, see SAML.
    SAML group Select a group from the SAML server. SAML groups are retrieved dynamically from the server.
    Token-based authentication sync priorities Select the required authentication synchronization priorities.
    Drag the priorities up and down in the list change the priority order.

    Sync every

    Select the amount of time between synchronizations.

    Group to associate users with Optionally, select a group from the dropdown menu with which to associate the users with. See User groups.
    Organization Optionally, select an organization from the dropdown menu with which to associate the users with, or select Create New to create a new organization. See Organizations.

    Do not delete synced users when they are no longer found on the remote server

    Select to ensure that synchronized users are not deleted when they are no longer found on the remote server. This option is only available when Proceed with rule even when response empty is disabled.

    SAML User Mapping Attributes Optionally, edit the remote SAML user mapping attributes.
  3. Select OK to create the new SAML synchronization rule.

Guest users

Guest user accounts can be created as needed. Guest users are similar to local users, only they are created with a restricted set of attributes.

To manage guest user accounts, go to Authentication > User Management > Guest Users.

Users can be authenticated against local or remote user databases with single sign-on using client certificates or SSO (Kerberos/SAML).

Common use cases might include:

  • Hotel receptionists creating room accounts
  • Office staff creating visitor accounts

Newly created account information can be sent to users via email, SMS, or printed out individually.

To create a new guest user/multiple guest users:
  1. Go to Authentication > User Management > Guest Users and select Create New.
  2. Enter the following information:
    note icon The "Sponsor" role for local and remote users is equivalent to an administrator with Read-Write permissions to the Guest Users sub-menu only.
    General
    Creation Mode

    There are three guest user creation methods:

    • Express: Quickly create guest user accounts without the need to enter any user information.
      Guest accounts generated this way only have four attributes: Sponsor, Username (eight random lowercase letters—must be unique from any other existing user account), Password, and Expiry.
    • From CSV file: Create guest user accounts using information from a CSV file in the following format: <first name>, <last name>, <email>, <mobile>, <group>.
    • Manual Input: Create guest user accounts by manually entering the user attributes for each guest user.
    Expiry date Set the date that the guest user account(s) will expire.
    Expiry time Set the time that the guest user account(s) will expire. The time can either be manually entered, or defined from four options: Now, Midnight, 6 a.m., or Noon.
    Express The following is only available when Creation Mode is set to Express.
    Number of new guest users Number of new guest users to add, up to a maximum of 1000.
    Groups Choose user groups from the list available to assign the new guest users.
    CSV Import The following is only available when Creation Mode is set to From CSV file.
    CSV file Choose a CSV file to import the user attributes.
    Guest Basic Information The following is only available when Creation Mode is set to Manual Input.
    Add Guest User Manually enter guest user information, including their First name, Last name, Email address, Mobile number, Groups, and Actions. Choose user groups from the list available to assign the new guest users.

User groups

Users can be assigned to groups during user account configuration (see Editing a user), or by editing the groups to add users to it.

To view the user groups list, go to Authentication > User Management > User Groups.

note icon

Note that user groups can be created for MAC devices. However, MAC devices will only be available to add in a MAC user group after devices have been created or imported. See MAC devices for more information.

To create a new user group:
  1. Go to Authentication > User Management > User Groups and select Create New.
  2. Enter the following information:
    Name Enter a name for the group.
    Type Select the type of group: Local, Remote LDAP, Remote RADIUS, or MAC.
    Users

    Select from available users and move them to the Selected users box to add them to the group.

    This option is only available if Type is Local.

    User retrieval

    Determine group membership by selecting either Specify an LDAP filter or Set a list of imported remote LDAP users.

    This option is only available if Type is Remote LDAP.

    Remote LDAP

    Select a remote LDAP server from the dropdown menu. At least one remote LDAP server must already be configured, see Remote authentication servers.

    This option is only available if Type is Remote LDAP.

    Remote RADIUS

    Select a remote RADIUS server from the dropdown menu. At least one remote RADIUS server must already be configured, see Remote authentication servers.

    This option is only available if Type is Remote RADIUS.

    LDAP filter

    Enter an LDAP filter. Optionally, select Test filter to ensure that the filter works as expected.

    This option is only available if Type is Remote LDAP and User retrieval is set to Specify an LDAP filter.

    LDAP users

    Select remote LDAP users from the Available LDAP users box and move them to the Selected LDAP users box to add them to the remote group.

    This option is only available if Type is Remote LDAP and User retrieval is set to Set a list of imported remote users.

    RADIUS users

    Select remote RADIUS users from the Available RADIUS users box and move them to the Selected RADIUS users box to add them to the remote group.

    This option is only available if Type is Remote RADIUS.

    MAC devices

    Select from available MAC devices and move them to the Selected MAC devices box to add them to the group.

    This option is only available if Type is MAC.

  3. Select OK to create the new group.
To edit a user group:
  1. In the user group list, select the group that you need to edit.
  2. Edit the settings as required. The settings are the same as when creating a new group.
  3. Select OK to apply your changes.

User groups for MAC-based RADIUS authentication

Once created, MAC user groups can then be used under the MAC-based authentication section of RADIUS clients, under Authentication > RADIUS Service > Clients. See Clients for more information.

Usage profile

Usage profiles can be created to determine user time and data usage on a granular level.

To view the usage profile list, go to Authentication > User Management > Usage Profile.

To create a new usage profile:
  1. Go to Authentication > User Management > Usage Profile and select Create New.
  2. Enter the following information:
    Name Enter a name for the profile.
    Description Optionally, enter information about the usage profile.
    Time Usage Select how time usage is determined.
    Time limit

    For this profile, the user's time limit will be either unlimited or measured from the moment their account was created, from when they first logged on, or how much time they have used.

    When the method has been chosen, enter the time period, in either minutes, hours, days, weeks, or months. The default is set to seven days.

    Data Usage

    Select how data usage is determined.

    Data limit

    For this profile, the user's data limit will either be unlimited or restricted to the amount of data they have used.

    If you want to limit data usage, enter the data amount in either KB, MB, GB, or TB. The default is set to 1 GB.

    Time Schedule Select the timezone the usage profile should follow.
    Timezone Timezone the usage profile should follow. The default is set to (GMT) UTC - No Daylight Savings.
  3. Select OK to add the new usage profile.

Organizations

Organizations include a name and logo. An organization can be associated with local and remote users.

When a user provisions FortiToken Mobile on their device, the organization name and logo are automatically pushed to the device, rebranding the user interface of the FortiToken Mobile application.

Organizations can be created, edited, and deleted as needed. Organizations are applied to users from the various user management pages. See Local users, Remote users, and Remote user sync rules for more information.

To manage organizations, go to Authentication > User Management > Organizations.

To create a new organization:
  1. From the organization list, select Create New.
  2. Enter a Name for the organization.
  3. Optionally, upload a logo file for the organization on your computer. The image can be a maximum of 320x320 pixels, and must be 24-bit PNG file.
  4. Select OK to create the new organization.

Realms

Realms allow multiple domains to authenticate to a single FortiAuthenticator unit. LDAP, RADIUS, and SAML remote servers are supported. Each RADIUS realm is associated with a name, such as a domain or company name, that is used during the login process to indicate the remote (or local) authentication server on which the user resides.

For example, the username of the user PJFry, belonging to the company P_Express, would become any of the following, depending on the selected format:

  • PJFry@P_Express
  • P_Express\PJFry
  • P_Express/PJFry

The FortiAuthenticator uses the specified realm to identify the back-end RADIUS, LDAP, or SAML authentication server(s) used to authenticate the user.

Acceptable realms can be configured on a per RADIUS server client basis. See User management.

To manage realms, go to Authentication > User Management > Realms. The following options are available:

Create New Select to create a new realm.
Delete Select to delete the selected realm or realms.
Edit Select to edit the selected realm.
Name The names of the realms.
User Source The source of the users in the realms.
Chained token authentication with remote RADIUS server

Available when User source is set to an LDAP server. Enable from the dropdown menu to chain token authentication with a RADIUS server.

To create a new realm:
  1. From the realms list, select Create New.
  2. Enter a Name for the realm.
    The realm name may only contain letters, numbers, periods, hyphens, and underscores. It cannot start or end with a special character.
  3. Select the User source for the realm from the dropdown menu. The options include Local users, or from specific RADIUS or LDAP servers.
  4. Enable Chained token authentication with remote RADIUS server. Note that this option is only available when selecting a remote LDAP server as the User source. Chained authentication provides the ability to chain two different authentication methods together so that, for example, a two-factor authentication RSA solution can validate passcodes via RADIUS.
  5. Select OK to create the new realm.

FortiTokens

Go to Authentication > User Management > FortiTokens to view a list of configured FortiTokens. From here, FortiTokens can be added, imported, exported, edited, deleted, and activated.

See FortiToken physical device and FortiToken Mobile for more detailed information.

The following information is shown:

Create New Create a new FortiToken.
Import Import a list of FortiTokens from a serial number CSV file, a seed CSV file, or from a FortiGate configuration.
Export FTK Hardware Export the FortiToken list.
Refresh FTM Refresh the Status of a FortiToken Mobile token.
Delete Delete the selected FortiToken(s).
Edit Edit the selected FortiToken.
Activate Activate the selected FortiToken(s).
Search Search the FortiToken list.
Serial number The FortiToken’s serial number.
Token type The FortiToken type, either FortiToken Hardware or FortiToken Mobile.
Status Whether or not the FortiToken is activated.
Comment Comments about the token.
User The user to whom the FortiToken applies.
Algorithm The FortiToken's encryption.
Size The size of the token.
Drift/Counter The time difference between the FortiAuthenticator and the FortiToken.
Timestep The FortiToken timestep.
FTM license The FortiToken Mobile license applied to the FortiToken.
Platform The FortiToken's platform.

MAC devices

Non-802.1X compliant devices can be identified and accepted onto the network using MAC address authentication. See Non-compliant devices for more information.

Go to Authentication > User Management > MAC Devices to view a list of configured MAC devices. From here, MAC devices can be created, imported, edited, and deleted.

The following information is shown:

Create New Create a new MAC-based authentication devices.
Import Import a list of MAC devices from a CSV fileTo import FortiTokens from a CSV file:

Once created/imported, MAC devices can be added to MAC user groups. See User groups for more information.

Device tracking

When enabled, this feature allows end users to self-register their devices, and to have those devices tracked, based on the device MAC address.

An unregistered device is granted restricted network access, and is redirected to the FortiAuthenticator guest portal. The user enters valid credentials, then the FortiAuthenticator detects the unregistered device and offers the user an option to register it. If the user registers the device, it becomes part of their authorized device group and the user is granted network access on that device (if the user does not register the device, they are redirected to the guest portal login page).

To link a device to a user configuration, create a new MAC-based authentication device entry under Authentication > User Management > MAC Devices, and enable This device belongs to a user. Similarly, it is possible to link a device from a user configuration. In either case, names and MAC addresses must be unique.

To fully benefit from this feature, you must use a FortiAuthenticator in conjunction with a FortiGate running FortiOS 6.0+.

RADIUS attributes

Some services can receive information about an authenticated user through RADIUS vendor-specific attributes. FortiAuthenticator user groups and user accounts can include RADIUS attributes for Fortinet and other vendors.

Attributes in user accounts can specify user-related information. For example, the Default attribute Framed-IP-Address specifies the VPN tunnel IP address sent to the user by the Fortinet SSL VPN.

Attributes in user groups can specify more general information, applicable to the whole group. For example, specifying third-party vendor attributes to a switch could enable administrative level login to all members of the Network_Admins group, or authorize the user to the correct privilege level on the system.

To add RADIUS attributes to a user or group:
  1. Go to Authentication > User Management > Local Users and select a user account to edit, or go to Authentication > User Management > User Groups and select a group to edit.
  2. In the RADIUS Attributes section, select Add Attribute. The Create New User Group RADIUS Attribute or Create New User RADIUS Attribute window opens.
  3. Select the appropriate Vendor and Attribute ID, then enter the attribute’s value in the Value field.
  4. Select OK to add the new attribute to the user or group.
  5. Repeat the above steps to add additional attributes as needed.

User management

The FortiAuthenticator user database has the benefit of being able to associate extensive information with each user, as you would expect of RADIUS and LDAP servers. This information includes whether the user is an administrator, uses RADIUS authentication, or uses two-factor authentication, and includes personal information such as full name, address, password recovery options, and the groups that the user belongs to.

The RADIUS server on FortiAuthenticator is configured using default settings. For a user to authenticate using RADIUS, the option Allow RADIUS Authentication must be selected for that user’s entry, and the FortiGate unit must be added to the authentication client list. See RADIUS service.

Administrators

Administrator accounts on FortiAuthenticator are standard user accounts that are flagged as administrators. Both local users and remote LDAP users can be administrators.

Once flagged as an administrator, a user account’s administrator privileges can be set to either full access or customized to select their administrator rights for different parts of FortiAuthenticator.

The subnets from which administrators are able to log in can be restricted by entering the IP addresses and netmasks of trusted management subnets.

There are log events for administrator configuration activities. Administrators can also be configured to authenticate to the local system using two-factor authentication.

An account marked as an administrator can be used for RADIUS authentication if Allow RADIUS Authentication is selected. See RADIUS service. These administrator accounts only support Password Authentication Protocol (PAP).

See Configuring a user as an administrator for more information.

Groups for administrators

Local and remote user accounts with administrator or sponsor roles can be entered into groups. This provides the following benefits:

  • Group filtering of administrators.
  • A single account for individuals needing both administrator and user roles.
  • Inclusion of RADIUS attributes from groups in RADIUS Access-Accept responses.

Local users

Local user accounts can be created, imported, exported, edited, and deleted as needed. Expired local user accounts can be purged manually or automatically (see General).

To manage local user accounts, go to Authentication > User Management > Local Users.

The local user account list shows the following information:

Create New Select to create a new user.
Import

Select to import local user accounts from a CSV file or FortiGate configuration file.

If using a CSV file, it must have one record per line, with the following format: user name (30 characters max), first name (30 characters max), last name (30 characters max), email address (75 characters max), mobile number (25 characters max), password (optional, 128 characters max).

If the optional password is left out of the import file, the user is emailed temporary login credentials and requested to configure a new password.

Note that, even if an optional field is empty, it still must be defined with a comma.

Export Users Select to export the user account list to a CSV file.
Edit Select to edit the selected user account.
Delete Select to delete the selected user account or accounts.
Disabled Users Purge Disabled: This offers the option to choose which type of disabled users to purge. All users matching the type(s) selection are deleted.

Re-enable: This allows the administrator to re-enable disabled accounts. Expired users accounts can only be re-enabled individually.
Search Enter a search term in the search field, then select Search to search the user account list.
User The user accounts’ usernames.
First name The user accounts’ first names, if included.
Last name The user accounts’ last names, if included.
Email address The user accounts’ email addresses, if included.
Admin If the user account is set as an administrator, a green circle with a check mark is shown.
Status If the user account is enabled, a green circle with a check mark is shown.
Token The token that is assigned to that user account. Select the token name to edit the FortiToken, see FortiToken device maintenance.
Token requested The status of the user's token request.
Groups The group or groups to which the user account belongs.
Authentication Methods The authentication method used for the user account.
Expiration The date and time that the user account expires, if an expiration date and time have been set for the account.

Adding a user

When creating a user account, there are three ways to handle the password:

  1. The administrator assigns a password immediately and communicates it to the user.
  2. FortiAuthenticator creates a random password and automatically emails it to the new user.
  3. No password is assigned because only token-based authentication will be used.
To add a new user:
  1. In the local users list, select Create New. The Create New Local User window opens.
  2. Enter the following information:
    Username Enter a username for the user.
    Password creation

    Select one of the options from the dropdown menu:

    • Specify a password: Manually enter a password in the Password field, then reenter the password in the Password confirmation field.
    • Set and email a random password: Enter an email address to which to send the password in the Email address field, then reenter the email address in the Confirm email address field.
    • No password, FortiToken authentication only: After you select OK, you will need to associate a FortiToken device with this user. See FortiAuthenticator and FortiTokens.
    Allow RADIUS authentication For a user to authenticate using RADIUS, this must be enabled.
    Force password change on next logon Enable or disable the option for users to change their local password on FortiAuthenticator at first logon. This feature prevents administrators from having to call or email the franchisee to deliver user credentials, which is not a secure method of delivery and adds additional time to the onboarding process.
    Role Select whether the new account is for an Administrator, Sponsor, or regular User. Administrators can either have full permissions or have specific administrator profiles applied. Regular users can have their account expiration settings configured.
    Enable account expiration Select to enable user account expiration, either after a specific amount of time has elapsed, or on a specific date.
    Expire after

    Select when the account will expire:

    • Set length of time: Enter the number of hours, days, months, or years until the account expires.
    • Set an expire date: Enter the date on which the account will expire, either by manually typing it in, or by selecting the calendar icon and selecting a date.
  3. Select OK to create the new user. You are redirected to the Change local user window to continue the user configuration in greater detail.
  4. If the password creation method was set to No password, FortiToken authentication only, you are required to associate a FortiToken with the user before the user can be enabled.

Editing a user

User accounts can be edited at any time. To edit a user, go to the user account list, select a user to editi, and select Edit from the toolbar. Conversely, select the username in the user list.

The following information can be viewed or configured:

Username The username cannot be changed.
Disabled Select to disable the user account.
Password-based authentication

Select to enable password-based authentication.

The user's password can be changed by selecting Change Password.

Token-based authentication Select to enable FortiToken-based authentication. See Configuring token-based authentication.
Allow RADIUS authentication Select to allow RADIUS authentication. This applies only to regular users.
Enable account expiration Select to enable account expiration and specify the account's expiration. See Enable account expiration.
User Role Configure the user’s role.
Role

Select Administrator, Sponsor, or User.

If setting a user as an administrator, see Configuring a user as an administrator.

Allow LDAP browsing Select to allow LDAP browsing. This applies only to regular users.
Full permission Enable to grant this administrator full permission, or enter an Admin profile in the field provided. This applies only to administrators.
Web service access Enable to allow this administrator to access the web services either through a REST API or using a client application. This applies only to administrators.
Restrict admin login from trusted management subnets only Enable and enter trusted IP addresses and netmasks for restricted administrator login access. This applies only to administrators.
User Information Enter user information, such as their address and phone number. See Adding user information.
Alternative email addresses Add alternate email addresses for the user.
Password Recovery Options Configure password recovery options for the user. See Configuring password recovery options
Groups Assign the user to one or more groups. See User groups.
Usage Information View the user's usage information, including bytes in/out, time used, and the option to reset the usage statistics.
Email Routing Enter a mail host and routing address into their respective fields to configure email routing for the user.
RADIUS Attributes Add RADIUS attributes. See RADIUS attributes.
Certificate Bindings Add, edit, or removed certificate bindings for the user account. See Configuring certificate bindings.
Select the certificate name to view the certificate, or select the Revoke Certificate button to revoke the certificate.
Devices Add devices, based on MAC address, for the user account.

Select OK when you have finished editing the user’s information and settings.

Configuring token-based authentication

Token-based authentication requires either a FortiToken device or a mobile device with the FortiToken Mobile app installed, or a device with either email or SMS capability.

FortiToken and FortiToken Mobile tokens must first be registered under Authentication > User Management > FortiTokens. For more information, see FortiTokens.

To configure an account for token-based authentication:
  1. To view the token-based authentication options, edit a user and select Token-based authentication.
  2. Select one of the following token delivery methods:
    • FortiToken, then select the FortiToken device serial number from the FortiToken Hardware or FortiToken Mobile dropdown menus, as appropriate.
    • The device must be known to FortiAuthenticator. See FortiToken physical device and FortiToken Mobile.

      Optionally, select Configure a temporary e-mail/SMS token to receive a temporary token code via email or SMS.

    • Email, then enter the user’s email address in the User Information section.
    • SMS, then enter the user’s mobile number in the User Information section.
    • Dual (Email & SMS), then enter the user's email address and mobile number in the User Information section.
  3. Select Test Token to validate the token passcode. The Test Email Token or Test SMS Token window opens (depending on your selection).
    • For email and SMS tokens, confirm that the contact information is correct, select Next, then enter the token code received via email or SMS.
    • Select Back to return to edit the contact information, select Verify to verify the token passcode, or select Resend Code if a new code is required.
    • For FortiToken, enter the token code in the Token code field, then select Verify to verify the token passcode.
  4. Select OK.
    By default, token code verification must be completed within 60 seconds after the token code is sent by email or SMS. To change this timeout, go to Authentication > User Account Polices > Tokens and modify the Email/SMS Token timeout field. For more information, see Lockouts.

Configuring a user as an administrator

For more information, see Administrators.

To set a user as an administrator:
  1. Edit a user and set Role to Administrator under the User Role section.
  2. Enable Full permission to give the administrator full administrative privileges, or enter Admin profiles to customize the administrator’s permissions.
  3. Optionally, enable Web service access to allow the administrator to access the web services via a REST API or FortiAuthenticator Agent for Microsoft Windows.
  4. Select Restrict admin login from trusted management subnets only, then enter the IP addresses and netmasks of trusted management subnets in the table, to restrict the subnets from which an administrator can log in.
  5. Select OK to apply the changes to the administrator account.

Adding user information

Some user information can be required depending on how the user is configured. For example, if the user is using token-based authentication by SMS, a mobile number and SMS gateway must be configured before the user can be enabled.

The following user information can be entered:

First name Last name
Email address Phone number
Mobile number SMS gateway: select from the dropdown menu. Select Test SMS to send a test message.
Street address
City State/Province
Country: Select from the dropdown menu.
Language: Select a specific language from the dropdown menu, or use the default language.
Organization: Select an organization from the dropdown menu. See Organizations.

Configuring password recovery options

To replace a lost or forgotten password, FortiAuthenticator can send the user a password recovery link by email or in a browser in response to a pre-arranged security question. The user must then set a new password.

To configure password recovery by email:
  1. Edit a user and ensure that the user has an email address entered. See Adding user information.
  2. Under Password Recovery Options section, enable Email recovery.
    In the event that additional email addresses have been configured under Alternative Email Addresses, an email is sent to all configured email addresses.
  3. Select OK to apply the changes.
To configure password recovery by security question:
  1. Edit a user and, under Password Recovery Options, enable Security question, and select Edit.
  2. Choose one of the questions from the dropdown menu, or select Write my own question and enter a question in the Custom question field.
  3. Enter the answer for the question in the Answer field.
  4. Select OK to create the security question.
  5. Select OK again to apply the changes to the user account.
How the user can configure password recovery by security question:
  1. Log in to the user account.
  2. Select Edit Profile at the top left of the page.
  3. Under Password Recovery Options, select Security Question, and select Edit.
  4. Choose one of the questions in the list, or select Write my own question and enter a question in the Custom question field.
  5. Enter the answer for your question.
  6. Select OK.
How the user can configure password recovery by email:
  1. Log in to the user account.
  2. Select Edit Profile at the top left of the page.
  3. Under Password Recovery Options, select Email recovery.
  4. Optionally, select Alternative email addresses and enter additional email addresses for this user.
  5. Select OK.
How the user recovers from a lost password:
  1. Browse to the IP address of the FortiAuthenticator.
  2. Security policies must be in place on the FortiGate unit to establish these sessions.

  3. At the login screen, select Forgot my password.
  4. Select to recover your password either by Username or Email.
  5. Enter either your username or email address as selected in the previous step, and select Next.
  6. This information is used to select the user account. If your information does not match a user account, password recovery cannot be completed.

  7. Do one of the following:
    • If an email address was entered, check your email, open the email and select the password recovery link.
    • If a username was entered, answer the security question and select Next.
  8. On the Reset Password page, enter and confirm a new password and select Next.
  9. The user can now authenticate using the new password.

Active Directory users password reset

To allow Active Directory (AD) users to reset their password from the main login page, follow the same workflow for resetting a local user's password described above.

The Password Recovery Options setting is included in the remote LDAP users configuration page.

This feature is available for both self-service and guest portals.

Configuring certificate bindings

To use a local certificate as part of authenticating a user, you need to:

  • Create a user certificate for the user (see To create a new certificate: for more information).
  • Create a binding to that certificate in the user’s account.
To create a binding to a certificate in a user’s account:
  1. Edit a user and expand the Certificate Bindings section.
  2. Select Add Binding.
  3. Select either Local CA or Trusted CA from the CA certificate dropdown menu, and select the applicable CA certificate.
  4. Enter the Common Name on the certificate. For example, if the certificate says CN=rgreen then enter rgreen.
  5. Select OK to add the new binding.

Remote users

Remote LDAP users must be imported into the FortiAuthenticator user database from LDAP servers. For more information, see LDAP.

Note that you will only be able to import a maximum of five remote users if you have an unlicensed version of FortiAuthenticator-VM.

A FortiToken device already allocated to a local account cannot be allocated to an LDAP user as well; it must be a different FortiToken device.

Remote RADIUS users can be created, migrated to LDAP users, edited, and deleted.

LDAP users

To import remote LDAP users:

  1. Go to Authentication > User Management > Remote Users, ensure that LDAP users is selected, and select Import.
  2. Select a server from the Remote LDAP server dropdown menu, then select Import users or Import users by group membership, and select Go.
    An LDAP server must already be configured to select it in the dropdown menu. For information on adding a remote LDAP server, see Remote authentication servers.
  3. The Import Remote LDAP Users or Import Remote LDAP Users by Group Memberships window opens in a new browser window.

  4. Optionally, enter a Filter string to reduce the number of entries returned, and then select Apply, or select Clear to clear the filters.
    note icon Please note that the Member attribute field is only available if you select to Import users by group membership. Use this field to specify the filter by which users will be shown. In the example, the default attribute (member) will only show users that are members of groups (users must be part of member attribute of the groups).
  5. The default configuration imports the attributes commonly associated with Microsoft Active Directory LDAP implementations. Select Configure user attributes to edit the remote LDAP user mapping attributes.
  6. Selecting the field FirstName, for example, presents a list of detected attributes that can be selected. This list is not exhaustive as additional, non-displayed attributes may be available for import. Consult your LDAP administrator for a full list of available attributes.

  7. Select the entries you want to import.
  8. Optionally, select an organization from the Organization dropdown menu to associate the imported users with a specific organization. See Organizations for more information.
  9. Select OK.
  10. The amount of time required to import the remote users will vary depending on the number of users to import.

To add two-factor authentication to a remote LDAP user:
  1. Edit the remote user, select Token-based authentication, and follow the same steps as when editing a local user (Editing a user).
  2. Configure the User Role, User Information, RADIUS Attributes, and Certificate Bindings for the user as needed.
  3. Select OK to apply the changes.

RADIUS users

To view remote RADIUS users, go to Authentication > User Management > Remote Users and select RADIUS users in the toolbar. See RADIUS for more information about remote RADIUS servers.

The following options are available (when remote RADIUS users are available to edit):

Create New Select to create a new remote RADIUS user.
Delete Select to delete the selected user or users.
Edit Select to edit the selected user.
Re-enable Select to re-enable the status of a user that has been disabled.
Migrate Select to migrate the selected user or users. See To migrate RADIUS users to LDAP users:.
Token Select to either Enforce or Bypass token-based authentication for the selected user(s).
Search Search the remote RADIUS user list.
Username The remote user’s name.
Remote RADIUS server The remote RADIUS server or which the user resides.
Admin Displays whether or not the user is configured as an administrator.
Status Displays whether or not the user is enabled or disabled.
Token The FortiToken used by the user, if applicable.
Token Requested Displays whether or not a FortiToken has been requested for the user.
Enforce token-based authentication Displays whether or not token-based authentication is enforced.
To create a new remote RADIUS user:
  1. From the remote user list, select RADIUS users and select Create New.
  2. Enter the following information:
    Remote RADIUS Select the remote RADIUS server on which the user will be created from. For more information on remote RADIUS servers, see RADIUS.
    Username Enter a username.
    Enforce token-based authentication if configured below Select to enforce token-based authentication, if you are configuring token-based authentication.
    Token-based authentication Select to configure token-based authentication.
    Deliver token code by

    Select the method by which token codes are delivered:

    • FortiToken: Select the FortiToken device serial number from the FortiToken Hardware or FortiToken Mobile dropdown menus.
    • Email: Enter the user’s email address in the User Information section.
    • SMS: Enter the user’s mobile number in the User Information section.
    • Dual (Email & SMS): Enter the user’s email address and mobile number in the User Information section.

    For FortiToken, the device must be known to FortiAuthenticator. See FortiToken physical device and FortiToken Mobile.

    In addition, you can optionally select Configure a temporary e-mail/SMS token to receive a temporary token code via email or SMS.

    Allow RADIUS authentication Enable or disable RADIUS authentication.
    User Role Select whether the remote user is either an Administrator (along with related permissions) or a regular User.
    User Information

    Enter user information as needed. The following options are available:

    • Email address
    • Mobile number and SMS gateway
    • Language
    • Organization - see Organizations.
  3. Select OK to create the new remote RADIUS user.
To migrate RADIUS users to LDAP users:
  1. From the remote RADIUS users list (see Learned RADIUS users), select the user or users you need to migrate, then select Migrate from the toolbar.
  2. Select an LDAP server from the dropdown menu and select Next.
  3. Enter the distinguished names for the users to migrate, or browse the LDAP tree (see Directory tree overview) to find the users.
  4. Select Migrate to migrate the user or users.

SAML users

To view remote SAML users, go to Authentication > User Management > Remote Users and select SAML users.

To create a new remote SAML user:
  1. From the remote user list, select SAML users and select Create New.
  2. The Create New Remote SAML User window appears.

  3. Enter the following information:
    Remote SAML Select the remote SAML server on which the user will be created from. For more information on remote SAML servers, see SAML.
    Username Enter a username.
    Disabled Enable or disable the user account.
    Token-based authentication Select to configure token-based authentication.
    Deliver token code by

    Select the method by which token codes are delivered:

    • FortiToken: Select the FortiToken device serial number from the FortiToken Hardware or FortiToken Mobile dropdown menus.
    • Email: Enter the user’s email address in the User Information section.
    • SMS: Enter the user’s mobile number in the User Information section.
    • Dual (Email & SMS): Enter the user’s email address and mobile number in the User Information section.

    For FortiToken, the device must be known to FortiAuthenticator. See FortiToken physical device and FortiToken Mobile.

    In addition, you can optionally select Configure a temporary e-mail/SMS token to receive a temporary token code via email or SMS.

    User Information

    Enter user information as needed. The following options are available:

    • First name
    • Last name
    • Email address
    • Mobile number and SMS gateway
    • Language
    • Organization - see Organizations.
  4. Select OK to create the new remote SAML user.
To import remote SAML users:
  1. From the remote user list, select SAML users, and select Import.
  2. The Import remote SAML Users window opens.

  3. Select the following:
    Remote SAML server Select the remote SAML server on which the users will be imported from. For more information on remote SAML servers, see SAML.
    Group Select the SAML server group to import users from.
  4. Select OK to import the remote SAML users.

Remote user sync rules

Synchronization rules can be created to control how and when remote LDAP and SAML users are synchronized. To view a list of the remote user synchronization rules, go to Authentication > User Management > Remote User Sync Rules.

To create a new remote LDAP user synchronization rule:
  1. From the Remote User Sync Rules page, select LDAP users, and select Create New.
  2. Configure the following settings:
    Name Enter a name for the synchronization rule.
    Remote LDAP Select a remote LDAP server from the dropdown menu. To configure a remote LDAP server, see LDAP.
    Base distinguished name Base DN of the remote LDAP server that automatically populates when a remote LDAP server is selected above.
    LDAP filter Optionally, enter an LDAP filter. Select Test Filter to test that the filter functions as expected.
    Token-based authentication sync priorities Select the required authentication synchronization priorities.
    Drag the priorities up and down in the list change the priority order.

    Sync every

    Select the amount of time between synchronizations.

    Sync as Select to synchronize as a remote user or as a local user. Selecting either option opens a dialog box displaying the user fields that are synchronized for that selection.

    User Role

    Select the user role to assign to remote users. Users assigned the role of Administrator are granted full permissions.

    Group to associate users with Optionally, select a group from the dropdown menu with which to associate the users with, or select Create New to create a new user group. See User groups.
    Organization Optionally, select an organization from the dropdown menu with which to associate the users with, or select Create New to create a new organization. See Organizations.
    Certificate binding CA

    Certificate binding CA for users who use remote user sync rules.

    When the Certificate binding common name field is populated (under LDAP User Mapping Attributes) this field must also be specified.

    Do not delete synced users when they are no longer found on the remote server

    Select to ensure that synchronized users are not deleted when they are no longer found on the remote server. This option is only available when Proceed with rule even when response empty is disabled.

    Proceed with rule even when response empty

    Select to enforce the synchronization rule even when the LDAP response is empty. Use this option to delete all users from a FortiAuthenticator group when synchronization rule returns an empty response. This option is only available when Do not delete synced users when they are no longer found on the remote server is disabled.

    Warning: This option should be used with caution. An error from the administrator (e.g. a typo when changing the LDAP query) could cause the deletion of all existing synchronized users, requiring the administrator to reprovision any assigned FortiTokens.

    LDAP User Mapping Attributes Optionally, edit the remote LDAP user mapping attributes.

    Debugging Settings

    Optionally, log synchronization details, including LDAP query results. These log files can be downloaded under Debug Report > LDAP Sync. In addition, select whether to delete synchronized users when they are no longer found on the remote server.

    Preview Mapping Select to preview the LDAP user sync mappings in a new window.
    Show Sync Fields Select to view the user fields that will be synchronized.
  3. Select OK to create the new LDAP synchronization rule.
To create a new remote SAML user synchronization rule:
  1. From the Remote User Sync Rules page, select SAML users, select Create New.
  2. Configure the following settings:
    Name Enter a name for the synchronization rule.
    Remote SAML server Select a remote SAML server from the dropdown menu. To configure a remote SAML server, see SAML.
    SAML group Select a group from the SAML server. SAML groups are retrieved dynamically from the server.
    Token-based authentication sync priorities Select the required authentication synchronization priorities.
    Drag the priorities up and down in the list change the priority order.

    Sync every

    Select the amount of time between synchronizations.

    Group to associate users with Optionally, select a group from the dropdown menu with which to associate the users with. See User groups.
    Organization Optionally, select an organization from the dropdown menu with which to associate the users with, or select Create New to create a new organization. See Organizations.

    Do not delete synced users when they are no longer found on the remote server

    Select to ensure that synchronized users are not deleted when they are no longer found on the remote server. This option is only available when Proceed with rule even when response empty is disabled.

    SAML User Mapping Attributes Optionally, edit the remote SAML user mapping attributes.
  3. Select OK to create the new SAML synchronization rule.

Guest users

Guest user accounts can be created as needed. Guest users are similar to local users, only they are created with a restricted set of attributes.

To manage guest user accounts, go to Authentication > User Management > Guest Users.

Users can be authenticated against local or remote user databases with single sign-on using client certificates or SSO (Kerberos/SAML).

Common use cases might include:

  • Hotel receptionists creating room accounts
  • Office staff creating visitor accounts

Newly created account information can be sent to users via email, SMS, or printed out individually.

To create a new guest user/multiple guest users:
  1. Go to Authentication > User Management > Guest Users and select Create New.
  2. Enter the following information:
    note icon The "Sponsor" role for local and remote users is equivalent to an administrator with Read-Write permissions to the Guest Users sub-menu only.
    General
    Creation Mode

    There are three guest user creation methods:

    • Express: Quickly create guest user accounts without the need to enter any user information.
      Guest accounts generated this way only have four attributes: Sponsor, Username (eight random lowercase letters—must be unique from any other existing user account), Password, and Expiry.
    • From CSV file: Create guest user accounts using information from a CSV file in the following format: <first name>, <last name>, <email>, <mobile>, <group>.
    • Manual Input: Create guest user accounts by manually entering the user attributes for each guest user.
    Expiry date Set the date that the guest user account(s) will expire.
    Expiry time Set the time that the guest user account(s) will expire. The time can either be manually entered, or defined from four options: Now, Midnight, 6 a.m., or Noon.
    Express The following is only available when Creation Mode is set to Express.
    Number of new guest users Number of new guest users to add, up to a maximum of 1000.
    Groups Choose user groups from the list available to assign the new guest users.
    CSV Import The following is only available when Creation Mode is set to From CSV file.
    CSV file Choose a CSV file to import the user attributes.
    Guest Basic Information The following is only available when Creation Mode is set to Manual Input.
    Add Guest User Manually enter guest user information, including their First name, Last name, Email address, Mobile number, Groups, and Actions. Choose user groups from the list available to assign the new guest users.

User groups

Users can be assigned to groups during user account configuration (see Editing a user), or by editing the groups to add users to it.

To view the user groups list, go to Authentication > User Management > User Groups.

note icon

Note that user groups can be created for MAC devices. However, MAC devices will only be available to add in a MAC user group after devices have been created or imported. See MAC devices for more information.

To create a new user group:
  1. Go to Authentication > User Management > User Groups and select Create New.
  2. Enter the following information:
    Name Enter a name for the group.
    Type Select the type of group: Local, Remote LDAP, Remote RADIUS, or MAC.
    Users

    Select from available users and move them to the Selected users box to add them to the group.

    This option is only available if Type is Local.

    User retrieval

    Determine group membership by selecting either Specify an LDAP filter or Set a list of imported remote LDAP users.

    This option is only available if Type is Remote LDAP.

    Remote LDAP

    Select a remote LDAP server from the dropdown menu. At least one remote LDAP server must already be configured, see Remote authentication servers.

    This option is only available if Type is Remote LDAP.

    Remote RADIUS

    Select a remote RADIUS server from the dropdown menu. At least one remote RADIUS server must already be configured, see Remote authentication servers.

    This option is only available if Type is Remote RADIUS.

    LDAP filter

    Enter an LDAP filter. Optionally, select Test filter to ensure that the filter works as expected.

    This option is only available if Type is Remote LDAP and User retrieval is set to Specify an LDAP filter.

    LDAP users

    Select remote LDAP users from the Available LDAP users box and move them to the Selected LDAP users box to add them to the remote group.

    This option is only available if Type is Remote LDAP and User retrieval is set to Set a list of imported remote users.

    RADIUS users

    Select remote RADIUS users from the Available RADIUS users box and move them to the Selected RADIUS users box to add them to the remote group.

    This option is only available if Type is Remote RADIUS.

    MAC devices

    Select from available MAC devices and move them to the Selected MAC devices box to add them to the group.

    This option is only available if Type is MAC.

  3. Select OK to create the new group.
To edit a user group:
  1. In the user group list, select the group that you need to edit.
  2. Edit the settings as required. The settings are the same as when creating a new group.
  3. Select OK to apply your changes.

User groups for MAC-based RADIUS authentication

Once created, MAC user groups can then be used under the MAC-based authentication section of RADIUS clients, under Authentication > RADIUS Service > Clients. See Clients for more information.

Usage profile

Usage profiles can be created to determine user time and data usage on a granular level.

To view the usage profile list, go to Authentication > User Management > Usage Profile.

To create a new usage profile:
  1. Go to Authentication > User Management > Usage Profile and select Create New.
  2. Enter the following information:
    Name Enter a name for the profile.
    Description Optionally, enter information about the usage profile.
    Time Usage Select how time usage is determined.
    Time limit

    For this profile, the user's time limit will be either unlimited or measured from the moment their account was created, from when they first logged on, or how much time they have used.

    When the method has been chosen, enter the time period, in either minutes, hours, days, weeks, or months. The default is set to seven days.

    Data Usage

    Select how data usage is determined.

    Data limit

    For this profile, the user's data limit will either be unlimited or restricted to the amount of data they have used.

    If you want to limit data usage, enter the data amount in either KB, MB, GB, or TB. The default is set to 1 GB.

    Time Schedule Select the timezone the usage profile should follow.
    Timezone Timezone the usage profile should follow. The default is set to (GMT) UTC - No Daylight Savings.
  3. Select OK to add the new usage profile.

Organizations

Organizations include a name and logo. An organization can be associated with local and remote users.

When a user provisions FortiToken Mobile on their device, the organization name and logo are automatically pushed to the device, rebranding the user interface of the FortiToken Mobile application.

Organizations can be created, edited, and deleted as needed. Organizations are applied to users from the various user management pages. See Local users, Remote users, and Remote user sync rules for more information.

To manage organizations, go to Authentication > User Management > Organizations.

To create a new organization:
  1. From the organization list, select Create New.
  2. Enter a Name for the organization.
  3. Optionally, upload a logo file for the organization on your computer. The image can be a maximum of 320x320 pixels, and must be 24-bit PNG file.
  4. Select OK to create the new organization.

Realms

Realms allow multiple domains to authenticate to a single FortiAuthenticator unit. LDAP, RADIUS, and SAML remote servers are supported. Each RADIUS realm is associated with a name, such as a domain or company name, that is used during the login process to indicate the remote (or local) authentication server on which the user resides.

For example, the username of the user PJFry, belonging to the company P_Express, would become any of the following, depending on the selected format:

  • PJFry@P_Express
  • P_Express\PJFry
  • P_Express/PJFry

The FortiAuthenticator uses the specified realm to identify the back-end RADIUS, LDAP, or SAML authentication server(s) used to authenticate the user.

Acceptable realms can be configured on a per RADIUS server client basis. See User management.

To manage realms, go to Authentication > User Management > Realms. The following options are available:

Create New Select to create a new realm.
Delete Select to delete the selected realm or realms.
Edit Select to edit the selected realm.
Name The names of the realms.
User Source The source of the users in the realms.
Chained token authentication with remote RADIUS server

Available when User source is set to an LDAP server. Enable from the dropdown menu to chain token authentication with a RADIUS server.

To create a new realm:
  1. From the realms list, select Create New.
  2. Enter a Name for the realm.
    The realm name may only contain letters, numbers, periods, hyphens, and underscores. It cannot start or end with a special character.
  3. Select the User source for the realm from the dropdown menu. The options include Local users, or from specific RADIUS or LDAP servers.
  4. Enable Chained token authentication with remote RADIUS server. Note that this option is only available when selecting a remote LDAP server as the User source. Chained authentication provides the ability to chain two different authentication methods together so that, for example, a two-factor authentication RSA solution can validate passcodes via RADIUS.
  5. Select OK to create the new realm.

FortiTokens

Go to Authentication > User Management > FortiTokens to view a list of configured FortiTokens. From here, FortiTokens can be added, imported, exported, edited, deleted, and activated.

See FortiToken physical device and FortiToken Mobile for more detailed information.

The following information is shown:

Create New Create a new FortiToken.
Import Import a list of FortiTokens from a serial number CSV file, a seed CSV file, or from a FortiGate configuration.
Export FTK Hardware Export the FortiToken list.
Refresh FTM Refresh the Status of a FortiToken Mobile token.
Delete Delete the selected FortiToken(s).
Edit Edit the selected FortiToken.
Activate Activate the selected FortiToken(s).
Search Search the FortiToken list.
Serial number The FortiToken’s serial number.
Token type The FortiToken type, either FortiToken Hardware or FortiToken Mobile.
Status Whether or not the FortiToken is activated.
Comment Comments about the token.
User The user to whom the FortiToken applies.
Algorithm The FortiToken's encryption.
Size The size of the token.
Drift/Counter The time difference between the FortiAuthenticator and the FortiToken.
Timestep The FortiToken timestep.
FTM license The FortiToken Mobile license applied to the FortiToken.
Platform The FortiToken's platform.

MAC devices

Non-802.1X compliant devices can be identified and accepted onto the network using MAC address authentication. See Non-compliant devices for more information.

Go to Authentication > User Management > MAC Devices to view a list of configured MAC devices. From here, MAC devices can be created, imported, edited, and deleted.

The following information is shown:

Create New Create a new MAC-based authentication devices.
Import Import a list of MAC devices from a CSV fileTo import FortiTokens from a CSV file:

Once created/imported, MAC devices can be added to MAC user groups. See User groups for more information.

Device tracking

When enabled, this feature allows end users to self-register their devices, and to have those devices tracked, based on the device MAC address.

An unregistered device is granted restricted network access, and is redirected to the FortiAuthenticator guest portal. The user enters valid credentials, then the FortiAuthenticator detects the unregistered device and offers the user an option to register it. If the user registers the device, it becomes part of their authorized device group and the user is granted network access on that device (if the user does not register the device, they are redirected to the guest portal login page).

To link a device to a user configuration, create a new MAC-based authentication device entry under Authentication > User Management > MAC Devices, and enable This device belongs to a user. Similarly, it is possible to link a device from a user configuration. In either case, names and MAC addresses must be unique.

To fully benefit from this feature, you must use a FortiAuthenticator in conjunction with a FortiGate running FortiOS 6.0+.

RADIUS attributes

Some services can receive information about an authenticated user through RADIUS vendor-specific attributes. FortiAuthenticator user groups and user accounts can include RADIUS attributes for Fortinet and other vendors.

Attributes in user accounts can specify user-related information. For example, the Default attribute Framed-IP-Address specifies the VPN tunnel IP address sent to the user by the Fortinet SSL VPN.

Attributes in user groups can specify more general information, applicable to the whole group. For example, specifying third-party vendor attributes to a switch could enable administrative level login to all members of the Network_Admins group, or authorize the user to the correct privilege level on the system.

To add RADIUS attributes to a user or group:
  1. Go to Authentication > User Management > Local Users and select a user account to edit, or go to Authentication > User Management > User Groups and select a group to edit.
  2. In the RADIUS Attributes section, select Add Attribute. The Create New User Group RADIUS Attribute or Create New User RADIUS Attribute window opens.
  3. Select the appropriate Vendor and Attribute ID, then enter the attribute’s value in the Value field.
  4. Select OK to add the new attribute to the user or group.
  5. Repeat the above steps to add additional attributes as needed.