Fortinet white logo
Fortinet white logo

Administration Guide

General

General

To configure general account policy settings, go to Authentication > User Account Policies > General.

Configure the following settings:

PCI DSS 3.2 two-factor authentication Enable to always collect all authentication factors before indicating a success or failure.

Request password reset after token verification

Enable if password reset is required, a change password request is sent once the token is verified.

Enhanced cryptography for storage of local user passwords

When disabled, FortiAuthenticator uses AES256 encryption for local user passwords.

When enabled, local user passwords are hashed using bcrypt.

With enhanced cryptography, cleartext passwords can no longer be recovered, and authentication requests requiring cleartext passwords for validation will fail. Enhanced cryptography can be disabled within 30 days of being enabled. After 30 days it cannot be disabled. FortiAuthenticator sends an email reminder to the administrator before the end of the 30-day period.

Local admin passwords are always hashed using bcrypt.

Expire device login after Login session timeout for Windows machine authentication via 802.1X.
Automatically purge disabled user accounts

Enable to automatically purge disabled user accounts. Select the frequency of the purge in the Frequency field: Hourly, Daily, Weekly, or Monthly. Enter the time of the purge in the Time field: Now to set the time to the current time, or select the clock icon to choose a time: Now, Midnight, 6 a.m., Noon, or 6 p.m.

Purge users that are disabled due to the following reasons Set the reason for purging disabled users: Manually disabled, Login inactivity, Account expired, or Usage limit exceeded.
Discard stale RADIUS authentication requests Enable to select a time after which RADIUS authentication requests are considered stale and are discarded, from 3 - 360 seconds (or six minutes). The default is set to 8 seconds.
Expire inactive RADIUS accounting session after Enter a time after which RADIUS accounting sessions timeout, from 5 to 1440 minutes (or five minutes to one day). The default is set to 60 minutes.

Session duration of authenticated TACACS+ user

The maximum time duration (in seconds) for which an authenticated TACACS+ user is authorized to issue commands.

Look up geo-location of user IP for Web Service

Enable or disable geolocation lookup for the user IP address (if possible).

General

General

To configure general account policy settings, go to Authentication > User Account Policies > General.

Configure the following settings:

PCI DSS 3.2 two-factor authentication Enable to always collect all authentication factors before indicating a success or failure.

Request password reset after token verification

Enable if password reset is required, a change password request is sent once the token is verified.

Enhanced cryptography for storage of local user passwords

When disabled, FortiAuthenticator uses AES256 encryption for local user passwords.

When enabled, local user passwords are hashed using bcrypt.

With enhanced cryptography, cleartext passwords can no longer be recovered, and authentication requests requiring cleartext passwords for validation will fail. Enhanced cryptography can be disabled within 30 days of being enabled. After 30 days it cannot be disabled. FortiAuthenticator sends an email reminder to the administrator before the end of the 30-day period.

Local admin passwords are always hashed using bcrypt.

Expire device login after Login session timeout for Windows machine authentication via 802.1X.
Automatically purge disabled user accounts

Enable to automatically purge disabled user accounts. Select the frequency of the purge in the Frequency field: Hourly, Daily, Weekly, or Monthly. Enter the time of the purge in the Time field: Now to set the time to the current time, or select the clock icon to choose a time: Now, Midnight, 6 a.m., Noon, or 6 p.m.

Purge users that are disabled due to the following reasons Set the reason for purging disabled users: Manually disabled, Login inactivity, Account expired, or Usage limit exceeded.
Discard stale RADIUS authentication requests Enable to select a time after which RADIUS authentication requests are considered stale and are discarded, from 3 - 360 seconds (or six minutes). The default is set to 8 seconds.
Expire inactive RADIUS accounting session after Enter a time after which RADIUS accounting sessions timeout, from 5 to 1440 minutes (or five minutes to one day). The default is set to 60 minutes.

Session duration of authenticated TACACS+ user

The maximum time duration (in seconds) for which an authenticated TACACS+ user is authorized to issue commands.

Look up geo-location of user IP for Web Service

Enable or disable geolocation lookup for the user IP address (if possible).