Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiAuthenticator 6.4.5 Administration Guide
    6.4.5
    6.6.2
    6.6.1
    6.6.0
    6.5.5
    6.5.4
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.2
    6.2.1
    6.2.0
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.5.0
    5.4.0
    5.3.0
    5.2.0
    5.1.0
    5.0.0
    4.3.0
    4.2.1
    4.2.0

    General

    General

    To configure general account policy settings, go to Authentication > User Account Policies > General.

    Configure the following settings:

    Authentication Flow

    PCI DSS 3.2 two-factor authentication

    Enable to always collect all authentication factors before indicating a success or failure.

    Request password reset after OTP verification

    Enable if password reset is required, a change password request is sent once the OTP is verified.

    Local User Password Storage

    Enhanced cryptography

    When disabled, FortiAuthenticator uses AES256 encryption for local user passwords.

    When enabled, local user passwords are hashed using bcrypt.

    With enhanced cryptography, cleartext passwords can no longer be recovered, and authentication requests requiring cleartext passwords for validation will fail. Enhanced cryptography can be disabled within 30 days of being enabled. After 30 days it cannot be disabled. FortiAuthenticator sends an email reminder to the administrator before the end of the 30-day period.

    Local admin passwords are always hashed using bcrypt.

    This option cannot be disabled after being enabled for 30 days.

    User Account Management

    Automatically purge disabled user accounts

    Enable to automatically purge disabled user accounts. Select the frequency of the purge in the Frequency field: Hourly, Daily, Weekly, or Monthly. Enter the time of the purge in the Time field: Now to set the time to the current time, or select the clock icon to choose a time: Now, Midnight, 6 a.m., Noon, or 6 p.m.

    Purge users that are disabled due to the following reasons

    Set the reason for purging disabled users: Manually disabled, Login inactivity, Account expired, or Usage limit exceeded.

    Send message on remote LDAP account import

    Enable to send message to the user account when a remote LDAP account is imported.

    Note: When enabled, you can select Email and/or SMS.

    Session Expiry

    Windows machine authentication

    Enter a time after which the login sessions timeout for Windows machine authentication using 802.1.X, from 5 to 1440 minutes (or five minutes to one day). The default is set to 480 minutes.

    Inactive RADIUS accounting

    Enter a time after which RADIUS accounting sessions timeout, from 5 to 1440 minutes (or five minutes to one day). The default is set to 60 minutes.

    TACACS+ authentication

    The maximum time duration (in seconds) for which an authenticated TACACS+ user is authorized to issue commands, from 120 to 36000 seconds. The default is set to 28800 seconds.

    Discard stale RADIUS authentication requests

    Enable to select a time after which RADIUS authentication requests are considered stale and are discarded, from 3 - 360 seconds (or six minutes). The default is set to 8 seconds.

    Sponsor Portal

    Each sponsor only has access to guest users they created

    Enable to allow sponsors to view only those guest users created by the sponsor.

    Note: This option is disabled by default.
    Previous
    Next

    General

    General

    To configure general account policy settings, go to Authentication > User Account Policies > General.

    Configure the following settings:

    Authentication Flow

    PCI DSS 3.2 two-factor authentication

    Enable to always collect all authentication factors before indicating a success or failure.

    Request password reset after OTP verification

    Enable if password reset is required, a change password request is sent once the OTP is verified.

    Local User Password Storage

    Enhanced cryptography

    When disabled, FortiAuthenticator uses AES256 encryption for local user passwords.

    When enabled, local user passwords are hashed using bcrypt.

    With enhanced cryptography, cleartext passwords can no longer be recovered, and authentication requests requiring cleartext passwords for validation will fail. Enhanced cryptography can be disabled within 30 days of being enabled. After 30 days it cannot be disabled. FortiAuthenticator sends an email reminder to the administrator before the end of the 30-day period.

    Local admin passwords are always hashed using bcrypt.

    This option cannot be disabled after being enabled for 30 days.

    User Account Management

    Automatically purge disabled user accounts

    Enable to automatically purge disabled user accounts. Select the frequency of the purge in the Frequency field: Hourly, Daily, Weekly, or Monthly. Enter the time of the purge in the Time field: Now to set the time to the current time, or select the clock icon to choose a time: Now, Midnight, 6 a.m., Noon, or 6 p.m.

    Purge users that are disabled due to the following reasons

    Set the reason for purging disabled users: Manually disabled, Login inactivity, Account expired, or Usage limit exceeded.

    Send message on remote LDAP account import

    Enable to send message to the user account when a remote LDAP account is imported.

    Note: When enabled, you can select Email and/or SMS.

    Session Expiry

    Windows machine authentication

    Enter a time after which the login sessions timeout for Windows machine authentication using 802.1.X, from 5 to 1440 minutes (or five minutes to one day). The default is set to 480 minutes.

    Inactive RADIUS accounting

    Enter a time after which RADIUS accounting sessions timeout, from 5 to 1440 minutes (or five minutes to one day). The default is set to 60 minutes.

    TACACS+ authentication

    The maximum time duration (in seconds) for which an authenticated TACACS+ user is authorized to issue commands, from 120 to 36000 seconds. The default is set to 28800 seconds.

    Discard stale RADIUS authentication requests

    Enable to select a time after which RADIUS authentication requests are considered stale and are discarded, from 3 - 360 seconds (or six minutes). The default is set to 8 seconds.

    Sponsor Portal

    Each sponsor only has access to guest users they created

    Enable to allow sponsors to view only those guest users created by the sponsor.

    Note: This option is disabled by default.
    Previous
    Next