Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Self-service portal policies

Self-service portals are accessed directly and allow local and remote users to self-manage their account.

To configure a self-service portal policy:
  1. Go to Authentication > Portals > Policies, click Self-service portals and Create New.
    The Self-Service Portal Policy Creation Wizard is launched.
  2. Enter the following information:
    Policy type Specify the name and type of the portal policy.

     

    Name

    Enter a name for the policy.

     

    Description

    Optionally, enter a description of the policy.

     

    Portal

    Allow self-service portal access is enabled by default.

    Select a portal.

    Identity sources Specify the identity sources against which to authenticate the end-users.

     

    Username format

    Select one of the following three username input formats:

    • username@realm
    • realm\username
    • realm/username

     

    Use default realm when user-provided realm is different from all configured realms

    When enabled, FortiAuthenticator selects the default realm for authentication when the user-specified realm is different from all configured realms.

     

    Realms

    Add realms to which the client will be associated.

    • Select a realm from the dropdown menu in the Realm column.
    • Select whether or not to allow local users to override remote users for the selected realm.
    • Select whether or not to use Windows AD domain authentication.
    • Edit the group filter as needed to filter users based on the groups they are in.
    • If necessary, add more realms to the list.
    • Select the realm that will be the default realm for this client.
    Authentication factors Specify which authentication factors to verify.

     

    Authentication type

    Select one of the following:

    • Mandatory password and OTP: Two-factor authentication is required for every user.
    • Every configured password and OTP factors: Two-factor authentication is required if it is enabled on the user's account, otherwise, allow one-factor authentication.
    • Password-only: Authenticate users through password verification only. User accounts for which password authentication is disabled cannot be authenticated.
    • OTP-only: Authenticate users through token verification only. User accounts for which token authentication is disabled cannot be authenticated.

     

    Adaptive Authentication

    Enable this option if you would like to have certain users bypass OTP validation, so long as they belong to a trusted subnet.

    Select All trusted subnets to add all the available trusted subnets.

    You can specify the trusted subnets by selecting Specify trusted subnets and clicking the pen icon. This opens a window where you can choose from a list of available trusted subnets.

    Adaptive Authentication is available only for the following authentication types:

    • Mandatory password and OTP

    • Every configured password and OTP factors

     

    FIDO authentication (effective once a token has been registered)

    Enable or disable FIDO authentication.

     

     

    Fido auth opt:

    Select from the following two options:

    FIDO token only: Log in with FIDO token only (without password).

    Password and FIDO token: Log in with the password and the FIDO token.

     

    Advanced Options

     

     

     

    Allow FortiToken Mobile push notifications

    Toggle to enable or disable FortiToken Mobile push notifications for RADIUS users.

     

     

    Application name for FTM push notification

    Enter the client application name. This field is displayed on the FortiToken app.

    When creating a new policy or upgrading to FortiAuthenticator 6.4, the policy name is the default client application name.

     

     

    Resolve user geolocation from their IP address

    Enable to resolve the user geolocation from their IP address (if possible).

     

     

    Reject usernames containing uppercase letters

    Enable this setting to reject usernames that contain uppercase letters.

  3. Click Save and exit.

Self-service portal policies

Self-service portals are accessed directly and allow local and remote users to self-manage their account.

To configure a self-service portal policy:
  1. Go to Authentication > Portals > Policies, click Self-service portals and Create New.
    The Self-Service Portal Policy Creation Wizard is launched.
  2. Enter the following information:
    Policy type Specify the name and type of the portal policy.

     

    Name

    Enter a name for the policy.

     

    Description

    Optionally, enter a description of the policy.

     

    Portal

    Allow self-service portal access is enabled by default.

    Select a portal.

    Identity sources Specify the identity sources against which to authenticate the end-users.

     

    Username format

    Select one of the following three username input formats:

    • username@realm
    • realm\username
    • realm/username

     

    Use default realm when user-provided realm is different from all configured realms

    When enabled, FortiAuthenticator selects the default realm for authentication when the user-specified realm is different from all configured realms.

     

    Realms

    Add realms to which the client will be associated.

    • Select a realm from the dropdown menu in the Realm column.
    • Select whether or not to allow local users to override remote users for the selected realm.
    • Select whether or not to use Windows AD domain authentication.
    • Edit the group filter as needed to filter users based on the groups they are in.
    • If necessary, add more realms to the list.
    • Select the realm that will be the default realm for this client.
    Authentication factors Specify which authentication factors to verify.

     

    Authentication type

    Select one of the following:

    • Mandatory password and OTP: Two-factor authentication is required for every user.
    • Every configured password and OTP factors: Two-factor authentication is required if it is enabled on the user's account, otherwise, allow one-factor authentication.
    • Password-only: Authenticate users through password verification only. User accounts for which password authentication is disabled cannot be authenticated.
    • OTP-only: Authenticate users through token verification only. User accounts for which token authentication is disabled cannot be authenticated.

     

    Adaptive Authentication

    Enable this option if you would like to have certain users bypass OTP validation, so long as they belong to a trusted subnet.

    Select All trusted subnets to add all the available trusted subnets.

    You can specify the trusted subnets by selecting Specify trusted subnets and clicking the pen icon. This opens a window where you can choose from a list of available trusted subnets.

    Adaptive Authentication is available only for the following authentication types:

    • Mandatory password and OTP

    • Every configured password and OTP factors

     

    FIDO authentication (effective once a token has been registered)

    Enable or disable FIDO authentication.

     

     

    Fido auth opt:

    Select from the following two options:

    FIDO token only: Log in with FIDO token only (without password).

    Password and FIDO token: Log in with the password and the FIDO token.

     

    Advanced Options

     

     

     

    Allow FortiToken Mobile push notifications

    Toggle to enable or disable FortiToken Mobile push notifications for RADIUS users.

     

     

    Application name for FTM push notification

    Enter the client application name. This field is displayed on the FortiToken app.

    When creating a new policy or upgrading to FortiAuthenticator 6.4, the policy name is the default client application name.

     

     

    Resolve user geolocation from their IP address

    Enable to resolve the user geolocation from their IP address (if possible).

     

     

    Reject usernames containing uppercase letters

    Enable this setting to reject usernames that contain uppercase letters.

  3. Click Save and exit.