Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

General

To configure general account policy settings, go to Authentication > User Account Policies > General.

Configure the following settings:

Authentication Flow

 

PCI DSS 3.2 two-factor authentication

Enable to always collect all authentication factors before indicating a success or failure.

 

Request password reset after OTP verification

Enable if password reset is required, a change password request is sent once the OTP is verified.

Local User Password Storage

 

Enhanced cryptography

When disabled, FortiAuthenticator uses AES256 encryption for local user passwords.

When enabled, local user passwords are hashed using bcrypt.

With enhanced cryptography, cleartext passwords can no longer be recovered, and authentication requests requiring cleartext passwords for validation will fail. Enhanced cryptography can be disabled within 30 days of being enabled. After 30 days it cannot be disabled. FortiAuthenticator sends an email reminder to the administrator before the end of the 30-day period.

Local admin passwords are always hashed using bcrypt.

This option cannot be disabled after being enabled for 30 days.

User Account Management

 

Automatically purge disabled user accounts

Enable to automatically purge disabled user accounts. Select the frequency of the purge in the Frequency field: Hourly, Daily, Weekly, or Monthly. Enter the time of the purge in the Time field: Now to set the time to the current time, or select the clock icon to choose a time: Now, Midnight, 6 a.m., Noon, or 6 p.m.

 

Purge users that are disabled due to the following reasons

Set the reason for purging disabled users: Manually disabled, Login inactivity, Account expired, or Usage limit exceeded.

 

Send message on remote LDAP account import

Enable to send message to the user account when a remote LDAP account is imported.

Note: When enabled, you can select Email and/or SMS.

Session Expiry

 

Windows machine authentication

Enter a time after which the login sessions timeout for Windows machine authentication using 802.1.X, from 5 to 1440 minutes (or five minutes to one day). The default is set to 480 minutes.

 

Inactive RADIUS accounting

Enter a time after which RADIUS accounting sessions timeout, from 5 to 1440 minutes (or five minutes to one day). The default is set to 60 minutes.

 

TACACS+ authentication

The maximum time duration (in seconds) for which an authenticated TACACS+ user is authorized to issue commands, from 120 to 36000 seconds. The default is set to 28800 seconds.

 

Discard stale RADIUS authentication requests

Enable to select a time after which RADIUS authentication requests are considered stale and are discarded, from 3 - 360 seconds (or six minutes). The default is set to 8 seconds.

Sponsor Portal

 

Each sponsor only has access to guest users they created

Enable to allow sponsors to view only those guest users created by the sponsor.

Note: This option is disabled by default.

General

To configure general account policy settings, go to Authentication > User Account Policies > General.

Configure the following settings:

Authentication Flow

 

PCI DSS 3.2 two-factor authentication

Enable to always collect all authentication factors before indicating a success or failure.

 

Request password reset after OTP verification

Enable if password reset is required, a change password request is sent once the OTP is verified.

Local User Password Storage

 

Enhanced cryptography

When disabled, FortiAuthenticator uses AES256 encryption for local user passwords.

When enabled, local user passwords are hashed using bcrypt.

With enhanced cryptography, cleartext passwords can no longer be recovered, and authentication requests requiring cleartext passwords for validation will fail. Enhanced cryptography can be disabled within 30 days of being enabled. After 30 days it cannot be disabled. FortiAuthenticator sends an email reminder to the administrator before the end of the 30-day period.

Local admin passwords are always hashed using bcrypt.

This option cannot be disabled after being enabled for 30 days.

User Account Management

 

Automatically purge disabled user accounts

Enable to automatically purge disabled user accounts. Select the frequency of the purge in the Frequency field: Hourly, Daily, Weekly, or Monthly. Enter the time of the purge in the Time field: Now to set the time to the current time, or select the clock icon to choose a time: Now, Midnight, 6 a.m., Noon, or 6 p.m.

 

Purge users that are disabled due to the following reasons

Set the reason for purging disabled users: Manually disabled, Login inactivity, Account expired, or Usage limit exceeded.

 

Send message on remote LDAP account import

Enable to send message to the user account when a remote LDAP account is imported.

Note: When enabled, you can select Email and/or SMS.

Session Expiry

 

Windows machine authentication

Enter a time after which the login sessions timeout for Windows machine authentication using 802.1.X, from 5 to 1440 minutes (or five minutes to one day). The default is set to 480 minutes.

 

Inactive RADIUS accounting

Enter a time after which RADIUS accounting sessions timeout, from 5 to 1440 minutes (or five minutes to one day). The default is set to 60 minutes.

 

TACACS+ authentication

The maximum time duration (in seconds) for which an authenticated TACACS+ user is authorized to issue commands, from 120 to 36000 seconds. The default is set to 28800 seconds.

 

Discard stale RADIUS authentication requests

Enable to select a time after which RADIUS authentication requests are considered stale and are discarded, from 3 - 360 seconds (or six minutes). The default is set to 8 seconds.

Sponsor Portal

 

Each sponsor only has access to guest users they created

Enable to allow sponsors to view only those guest users created by the sponsor.

Note: This option is disabled by default.