Fortinet Document Library

Version:

Version:


Table of Contents

Download PDF
Copy Link

Two-factor authentication settings

/FACHOST=host name

Set the value of the FortiAuthenticator host name/IP address.

 

/FACRESTADMIN=admin name

Set the value of the FortiAuthenticator administrator for which Web Services have been enabled.

 

/FACRESTKEY=api key

Set the value of the key to be used for Web Services access.

 

/FACVERIFYSERVERCERT

Enable verification of the FortiAuthenticator web server certificate.

 

/FACSERVERSUBJNAME=subject name

The web server certificate subject name (e.g. CN=<server subject name>). The default firmware server certificate uses the FortiAuthenticator serial number (e.g. FAC-VM0A12001111).

 

/FACCACERTFILE="ca certificate file path"

The CA certificate which issued the web server certificate. By default this is the Fortinet CA which comes pre-installed in the FortiAuthenticator Agent installation directory.

 

/AUTHNUMRETRIES=number of retries

The number of two factor authentication retries that are made when a timeout occurs/the FortiAuthenticator is unavailable/etc.

 

/AUTHTIMEOUT=timeout

The timeout value for each two-factor authentication attempt in seconds. Upon timeout the next retry is attempted if configured to do so.

 

/AUTHFAILACTION=fail action

The action to take on authentication failure due to timeout/unavailability of the FortiAuthenticator. Allowed integer values are 0 (Block) and 1 (Allow).

 

/AUTHCACHECREDPERIOD=validity period

If the authentication fail action is set to 1 (Allow), users will be allowed to log on without two-factor authentication using cached credentials. This sets the number of days the user is allowed to log on offline without two-factor authentication before being locked out. Once locked out the user must reconnect to the domain and successfully authenticate with two-factor authentication with the FortiAuthenticator before their validity period is reset. Note that if this feature is enabled, the user must perform an initial successful two-factor authentication logon against the FortiAuthenticator for the validity period to take effect offline. If not, they will be locked out immediately when offline.

 

/AUTHALLOWADMINOTP

If enabled this allows the configured administrators to use their FortiToken to override the logon for a user. The user will still be required to enter their domain credentials, but instead of their OTP being provided the administrator provides their name along with their OTP (as configured on the FortiAuthenticator and in the administrator override names configuration field in FortiAuthenticator Agent). The administrator name and OTP are authenticated against the FortiAuthenticator, and the users credentials are used to continue the logon process (this also counts as a successful logon for cached credential validity period reset).

 

/AUTHADMINOVERRIDENAMES="comma separated list of administrators"

A list of administrators that will be allowed to perform administrator overrides, if overrides are enabled. These names must correspond directly with users defined on the FortiAuthenticator which are configured with FortiTokens. These can be either local users or imported remote users on the FortiAuthenticator, as long as the proper username is used.

 

/AUTHREALMBASED

Enable Realm-based authentication. This is disabled by default to retain legacy behavior.

 

/INCLUDEDDOMAINS="comma separated list domains"

This can be either a list of DNS domain names (e.g. domain.corp.com) or NetBIOS names (e.g. domain). Note that these will be validated during installation and need to match up with what the installation program detects directly through AD. If a specified domain is not found it will be ignored. These domains will force users to use two-factor authentication (as configured above, cached credentials when offline do not require a OTP if configured) if they belong to these domains. For all other domains no OTP is required and normal authentication operation takes place.

FortiAuthenticator Agent for Microsoft Windows includes the "." domain which represents the local machine. When listed as an included domain for two factor authentication, local user login is disabled.

 

/EXCLUDEDUSERS="comma separated list of exempt users"

This is a list of users in the format "NetBIOS domain name\Username" separated by commas. These users are excluded from two-factor authentication regardless of whether the domain is configured for two-factor authentication. This bypass will occur even if the FortiAuthenticator service is not running.

e.g.

FAC_Agent_Setup_v1.0.exe /VERYSILENT /DISABLEMSPROVIDER
/FACHOST=192.168.0.123 /FACRESTADMIN=admin /FACRESTKEY=X2=ByrYt1CgGyxLixYcZj7IFPT#7X5GSHieTlnwi

/FACVERIFYSERVERCERT /FACSERVERSUBJNAME=FAC-VM0A12000040 /FACCACERTFILE="C:\Program Files\Fortinet\FortiAuthenticator
Agent\fortinet_ca.crt"

/AUTHNUMRETRIES=2 /AUTHTIMEOUT=3 /AUTHFAILACTION=1
/AUTHCACHECREDPERIOD=23 /AUTHALLOWADMINOTP

/AUTHADMINOVERRIDENAMES="Administrator,Admin2,admin" /INCLUDEDDOMAINS="de.test.com,BE,TEST,corp.com" /EXCLUDEDUSERS="TEST\Administrator,TEST\manager3"

 

/EXCLUDEDGROUPS="OU=special,DC=domain,DC=com;OU=somethingelse,DC=domain,DC=com"

This is a list of groups indicated by their domain, separated by semicolon. These groups are excluded from two-factor authentication regardless of whether the domain is configured for two-factor authentication. This bypass will occur even if the FortiAuthenticator service is not running.

Two-factor authentication settings

/FACHOST=host name

Set the value of the FortiAuthenticator host name/IP address.

 

/FACRESTADMIN=admin name

Set the value of the FortiAuthenticator administrator for which Web Services have been enabled.

 

/FACRESTKEY=api key

Set the value of the key to be used for Web Services access.

 

/FACVERIFYSERVERCERT

Enable verification of the FortiAuthenticator web server certificate.

 

/FACSERVERSUBJNAME=subject name

The web server certificate subject name (e.g. CN=<server subject name>). The default firmware server certificate uses the FortiAuthenticator serial number (e.g. FAC-VM0A12001111).

 

/FACCACERTFILE="ca certificate file path"

The CA certificate which issued the web server certificate. By default this is the Fortinet CA which comes pre-installed in the FortiAuthenticator Agent installation directory.

 

/AUTHNUMRETRIES=number of retries

The number of two factor authentication retries that are made when a timeout occurs/the FortiAuthenticator is unavailable/etc.

 

/AUTHTIMEOUT=timeout

The timeout value for each two-factor authentication attempt in seconds. Upon timeout the next retry is attempted if configured to do so.

 

/AUTHFAILACTION=fail action

The action to take on authentication failure due to timeout/unavailability of the FortiAuthenticator. Allowed integer values are 0 (Block) and 1 (Allow).

 

/AUTHCACHECREDPERIOD=validity period

If the authentication fail action is set to 1 (Allow), users will be allowed to log on without two-factor authentication using cached credentials. This sets the number of days the user is allowed to log on offline without two-factor authentication before being locked out. Once locked out the user must reconnect to the domain and successfully authenticate with two-factor authentication with the FortiAuthenticator before their validity period is reset. Note that if this feature is enabled, the user must perform an initial successful two-factor authentication logon against the FortiAuthenticator for the validity period to take effect offline. If not, they will be locked out immediately when offline.

 

/AUTHALLOWADMINOTP

If enabled this allows the configured administrators to use their FortiToken to override the logon for a user. The user will still be required to enter their domain credentials, but instead of their OTP being provided the administrator provides their name along with their OTP (as configured on the FortiAuthenticator and in the administrator override names configuration field in FortiAuthenticator Agent). The administrator name and OTP are authenticated against the FortiAuthenticator, and the users credentials are used to continue the logon process (this also counts as a successful logon for cached credential validity period reset).

 

/AUTHADMINOVERRIDENAMES="comma separated list of administrators"

A list of administrators that will be allowed to perform administrator overrides, if overrides are enabled. These names must correspond directly with users defined on the FortiAuthenticator which are configured with FortiTokens. These can be either local users or imported remote users on the FortiAuthenticator, as long as the proper username is used.

 

/AUTHREALMBASED

Enable Realm-based authentication. This is disabled by default to retain legacy behavior.

 

/INCLUDEDDOMAINS="comma separated list domains"

This can be either a list of DNS domain names (e.g. domain.corp.com) or NetBIOS names (e.g. domain). Note that these will be validated during installation and need to match up with what the installation program detects directly through AD. If a specified domain is not found it will be ignored. These domains will force users to use two-factor authentication (as configured above, cached credentials when offline do not require a OTP if configured) if they belong to these domains. For all other domains no OTP is required and normal authentication operation takes place.

FortiAuthenticator Agent for Microsoft Windows includes the "." domain which represents the local machine. When listed as an included domain for two factor authentication, local user login is disabled.

 

/EXCLUDEDUSERS="comma separated list of exempt users"

This is a list of users in the format "NetBIOS domain name\Username" separated by commas. These users are excluded from two-factor authentication regardless of whether the domain is configured for two-factor authentication. This bypass will occur even if the FortiAuthenticator service is not running.

e.g.

FAC_Agent_Setup_v1.0.exe /VERYSILENT /DISABLEMSPROVIDER
/FACHOST=192.168.0.123 /FACRESTADMIN=admin /FACRESTKEY=X2=ByrYt1CgGyxLixYcZj7IFPT#7X5GSHieTlnwi

/FACVERIFYSERVERCERT /FACSERVERSUBJNAME=FAC-VM0A12000040 /FACCACERTFILE="C:\Program Files\Fortinet\FortiAuthenticator
Agent\fortinet_ca.crt"

/AUTHNUMRETRIES=2 /AUTHTIMEOUT=3 /AUTHFAILACTION=1
/AUTHCACHECREDPERIOD=23 /AUTHALLOWADMINOTP

/AUTHADMINOVERRIDENAMES="Administrator,Admin2,admin" /INCLUDEDDOMAINS="de.test.com,BE,TEST,corp.com" /EXCLUDEDUSERS="TEST\Administrator,TEST\manager3"

 

/EXCLUDEDGROUPS="OU=special,DC=domain,DC=com;OU=somethingelse,DC=domain,DC=com"

This is a list of groups indicated by their domain, separated by semicolon. These groups are excluded from two-factor authentication regardless of whether the domain is configured for two-factor authentication. This bypass will occur even if the FortiAuthenticator service is not running.