Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Remote users

Remote LDAP users must be imported into the FortiAuthenticator user database from LDAP servers. For more information, see LDAP.

Note that you will only be able to import a maximum of five remote users if you have an unlicensed version of FortiAuthenticator-VM.

A FortiToken device already allocated to a local account cannot be allocated to an LDAP user as well; it must be a different FortiToken device.

Remote RADIUS users can be created, migrated to LDAP users, edited, and deleted.

LDAP users

To import remote LDAP users:
  1. Go to Authentication > User Management > Remote Users, ensure that LDAP users is selected, and select Import.
  2. Select a server from the Remote LDAP server dropdown menu, then select Import users or Import users by group membership, and select Go.
    An LDAP server must already be configured to select it in the dropdown menu. For information on adding a remote LDAP server, see Remote authentication servers.
  3. The Import Remote LDAP Users or Import Remote LDAP Users by Group Memberships window opens in a new browser window.

  4. Optionally, enter a Filter string to reduce the number of entries returned, and then select Apply, or select Clear to clear the filters.
    note icon Please note that the Member attribute field is only available if you select to Import users by group membership. Use this field to specify the filter by which users will be shown. In the example, the default attribute (member) will only show users that are members of groups (users must be part of member attribute of the groups).
  5. The default configuration imports the attributes commonly associated with Microsoft Active Directory LDAP implementations. Select Configure user attributes to edit the remote LDAP user mapping attributes.
  6. Selecting the field FirstName, for example, presents a list of detected attributes that can be selected. This list is not exhaustive as additional, non-displayed attributes may be available for import. Consult your LDAP administrator for a full list of available attributes.

  7. Select the entries you want to import.
  8. Optionally, select an organization from the Organization dropdown menu to associate the imported users with a specific organization. See Organizations for more information.
  9. Select OK.
  10. The amount of time required to import the remote users will vary depending on the number of users to import.

To add two-factor authentication to a remote LDAP user:
  1. Edit the remote user, select Token-based authentication, and follow the same steps as when editing a local user (Editing a user).
  2. Configure the User Role, User Information, RADIUS Attributes, and Certificate Bindings for the user as needed.
  3. Select OK to apply the changes.

RADIUS users

To view remote RADIUS users, go to Authentication > User Management > Remote Users and select RADIUS users in the toolbar. See RADIUS for more information about remote RADIUS servers.

The following options are available (when remote RADIUS users are available to edit):

Create New Select to create a new remote RADIUS user.
Delete Select to delete the selected user or users.
Edit Select to edit the selected user.
Re-enable Select to re-enable the status of a user that has been disabled.
Migrate Select to migrate the selected user or users. See To migrate RADIUS users to LDAP users:.
Token Select to either Enforce or Bypass token-based authentication for the selected user(s).
Search Search the remote RADIUS user list.
Username The remote user’s name.
Remote RADIUS server The remote RADIUS server or which the user resides.
Admin Displays whether or not the user is configured as an administrator.
Status Displays whether or not the user is enabled or disabled.
Token The FortiToken used by the user, if applicable.
Token Requested Displays whether or not a FortiToken has been requested for the user.
Enforce token-based authentication Displays whether or not token-based authentication is enforced.
To create a new remote RADIUS user:
  1. From the remote user list, select RADIUS users and select Create New.
  2. Enter the following information:
    Remote RADIUS Select the remote RADIUS server on which the user will be created from. For more information on remote RADIUS servers, see RADIUS.
    Username Enter a username.
    Enforce token-based authentication if configured below Select to enforce token-based authentication, if you are configuring token-based authentication.
    Token-based authentication Select to configure token-based authentication.
      Deliver token code by

    Select the method by which token codes are delivered:

    • FortiToken: Select the FortiToken device serial number from the FortiToken Hardware or FortiToken Mobile dropdown menus.
    • Email: Enter the user’s email address in the User Information section.
    • SMS: Enter the user’s mobile number in the User Information section.
    • Dual (Email & SMS): Enter the user’s email address and mobile number in the User Information section.

    For FortiToken, the device must be known to FortiAuthenticator. See FortiToken physical device and FortiToken Mobile.

    In addition, you can optionally select Configure a temporary e-mail/SMS token to receive a temporary token code via email or SMS.

    Allow RADIUS authentication Enable or disable RADIUS authentication.
    User Role Select whether the remote user is either an Administrator (along with related permissions) or a regular User.
    User Information

    Enter user information as needed. The following options are available:

    • Email address
    • Mobile number and SMS gateway
    • Language
    • Organization - see Organizations.
  3. Select OK to create the new remote RADIUS user.
To migrate RADIUS users to LDAP users:
  1. From the remote RADIUS users list (see Learned RADIUS users), select the user or users you need to migrate, then select Migrate from the toolbar.
  2. Select an LDAP server from the dropdown menu and select Next.
  3. Enter the distinguished names for the users to migrate, or browse the LDAP tree (see Directory tree overview) to find the users.
  4. Select Migrate to migrate the user or users.

SAML users

To view remote SAML users, go to Authentication > User Management > Remote Users and select SAML users.

To create a new remote SAML user:
  1. From the remote user list, select SAML users and select Create New.
  2. The Create New Remote SAML User window appears.

  3. Enter the following information:
    Remote SAML Select the remote SAML server on which the user will be created from. For more information on remote SAML servers, see SAML.
    Username Enter a username.
    Disabled Enable or disable the user account.
    Token-based authentication Select to configure token-based authentication.
      Deliver token code by

    Select the method by which token codes are delivered:

    • FortiToken: Select the FortiToken device serial number from the FortiToken Hardware or FortiToken Mobile dropdown menus.
    • Email: Enter the user’s email address in the User Information section.
    • SMS: Enter the user’s mobile number in the User Information section.
    • Dual (Email & SMS): Enter the user’s email address and mobile number in the User Information section.

    For FortiToken, the device must be known to FortiAuthenticator. See FortiToken physical device and FortiToken Mobile.

    In addition, you can optionally select Configure a temporary e-mail/SMS token to receive a temporary token code via email or SMS.

    User Information

    Enter user information as needed. The following options are available:

    • First name
    • Last name
    • Email address
    • Mobile number and SMS gateway
    • Language
    • Organization - see Organizations.
  4. Select OK to create the new remote SAML user.
To import remote SAML users:
  1. From the remote user list, select SAML users, and select Import.
  2. The Import remote SAML Users window opens.

  3. Select the following:
    Remote SAML server Select the remote SAML server on which the users will be imported from. For more information on remote SAML servers, see SAML.
    Group Select the SAML server group to import users from.
  4. Select OK to import the remote SAML users.

Remote users

Remote LDAP users must be imported into the FortiAuthenticator user database from LDAP servers. For more information, see LDAP.

Note that you will only be able to import a maximum of five remote users if you have an unlicensed version of FortiAuthenticator-VM.

A FortiToken device already allocated to a local account cannot be allocated to an LDAP user as well; it must be a different FortiToken device.

Remote RADIUS users can be created, migrated to LDAP users, edited, and deleted.

LDAP users

To import remote LDAP users:
  1. Go to Authentication > User Management > Remote Users, ensure that LDAP users is selected, and select Import.
  2. Select a server from the Remote LDAP server dropdown menu, then select Import users or Import users by group membership, and select Go.
    An LDAP server must already be configured to select it in the dropdown menu. For information on adding a remote LDAP server, see Remote authentication servers.
  3. The Import Remote LDAP Users or Import Remote LDAP Users by Group Memberships window opens in a new browser window.

  4. Optionally, enter a Filter string to reduce the number of entries returned, and then select Apply, or select Clear to clear the filters.
    note icon Please note that the Member attribute field is only available if you select to Import users by group membership. Use this field to specify the filter by which users will be shown. In the example, the default attribute (member) will only show users that are members of groups (users must be part of member attribute of the groups).
  5. The default configuration imports the attributes commonly associated with Microsoft Active Directory LDAP implementations. Select Configure user attributes to edit the remote LDAP user mapping attributes.
  6. Selecting the field FirstName, for example, presents a list of detected attributes that can be selected. This list is not exhaustive as additional, non-displayed attributes may be available for import. Consult your LDAP administrator for a full list of available attributes.

  7. Select the entries you want to import.
  8. Optionally, select an organization from the Organization dropdown menu to associate the imported users with a specific organization. See Organizations for more information.
  9. Select OK.
  10. The amount of time required to import the remote users will vary depending on the number of users to import.

To add two-factor authentication to a remote LDAP user:
  1. Edit the remote user, select Token-based authentication, and follow the same steps as when editing a local user (Editing a user).
  2. Configure the User Role, User Information, RADIUS Attributes, and Certificate Bindings for the user as needed.
  3. Select OK to apply the changes.

RADIUS users

To view remote RADIUS users, go to Authentication > User Management > Remote Users and select RADIUS users in the toolbar. See RADIUS for more information about remote RADIUS servers.

The following options are available (when remote RADIUS users are available to edit):

Create New Select to create a new remote RADIUS user.
Delete Select to delete the selected user or users.
Edit Select to edit the selected user.
Re-enable Select to re-enable the status of a user that has been disabled.
Migrate Select to migrate the selected user or users. See To migrate RADIUS users to LDAP users:.
Token Select to either Enforce or Bypass token-based authentication for the selected user(s).
Search Search the remote RADIUS user list.
Username The remote user’s name.
Remote RADIUS server The remote RADIUS server or which the user resides.
Admin Displays whether or not the user is configured as an administrator.
Status Displays whether or not the user is enabled or disabled.
Token The FortiToken used by the user, if applicable.
Token Requested Displays whether or not a FortiToken has been requested for the user.
Enforce token-based authentication Displays whether or not token-based authentication is enforced.
To create a new remote RADIUS user:
  1. From the remote user list, select RADIUS users and select Create New.
  2. Enter the following information:
    Remote RADIUS Select the remote RADIUS server on which the user will be created from. For more information on remote RADIUS servers, see RADIUS.
    Username Enter a username.
    Enforce token-based authentication if configured below Select to enforce token-based authentication, if you are configuring token-based authentication.
    Token-based authentication Select to configure token-based authentication.
      Deliver token code by

    Select the method by which token codes are delivered:

    • FortiToken: Select the FortiToken device serial number from the FortiToken Hardware or FortiToken Mobile dropdown menus.
    • Email: Enter the user’s email address in the User Information section.
    • SMS: Enter the user’s mobile number in the User Information section.
    • Dual (Email & SMS): Enter the user’s email address and mobile number in the User Information section.

    For FortiToken, the device must be known to FortiAuthenticator. See FortiToken physical device and FortiToken Mobile.

    In addition, you can optionally select Configure a temporary e-mail/SMS token to receive a temporary token code via email or SMS.

    Allow RADIUS authentication Enable or disable RADIUS authentication.
    User Role Select whether the remote user is either an Administrator (along with related permissions) or a regular User.
    User Information

    Enter user information as needed. The following options are available:

    • Email address
    • Mobile number and SMS gateway
    • Language
    • Organization - see Organizations.
  3. Select OK to create the new remote RADIUS user.
To migrate RADIUS users to LDAP users:
  1. From the remote RADIUS users list (see Learned RADIUS users), select the user or users you need to migrate, then select Migrate from the toolbar.
  2. Select an LDAP server from the dropdown menu and select Next.
  3. Enter the distinguished names for the users to migrate, or browse the LDAP tree (see Directory tree overview) to find the users.
  4. Select Migrate to migrate the user or users.

SAML users

To view remote SAML users, go to Authentication > User Management > Remote Users and select SAML users.

To create a new remote SAML user:
  1. From the remote user list, select SAML users and select Create New.
  2. The Create New Remote SAML User window appears.

  3. Enter the following information:
    Remote SAML Select the remote SAML server on which the user will be created from. For more information on remote SAML servers, see SAML.
    Username Enter a username.
    Disabled Enable or disable the user account.
    Token-based authentication Select to configure token-based authentication.
      Deliver token code by

    Select the method by which token codes are delivered:

    • FortiToken: Select the FortiToken device serial number from the FortiToken Hardware or FortiToken Mobile dropdown menus.
    • Email: Enter the user’s email address in the User Information section.
    • SMS: Enter the user’s mobile number in the User Information section.
    • Dual (Email & SMS): Enter the user’s email address and mobile number in the User Information section.

    For FortiToken, the device must be known to FortiAuthenticator. See FortiToken physical device and FortiToken Mobile.

    In addition, you can optionally select Configure a temporary e-mail/SMS token to receive a temporary token code via email or SMS.

    User Information

    Enter user information as needed. The following options are available:

    • First name
    • Last name
    • Email address
    • Mobile number and SMS gateway
    • Language
    • Organization - see Organizations.
  4. Select OK to create the new remote SAML user.
To import remote SAML users:
  1. From the remote user list, select SAML users, and select Import.
  2. The Import remote SAML Users window opens.

  3. Select the following:
    Remote SAML server Select the remote SAML server on which the users will be imported from. For more information on remote SAML servers, see SAML.
    Group Select the SAML server group to import users from.
  4. Select OK to import the remote SAML users.