Remote users
Remote LDAP users must be imported into the FortiAuthenticator user database from LDAP servers. For more information, see LDAP.
Note that you will only be able to import a maximum of five remote users if you have an unlicensed version of FortiAuthenticator-VM.
A FortiToken device already allocated to a local account cannot be allocated to an LDAP user as well; it must be a different FortiToken device. |
Remote RADIUS users can be created, migrated to LDAP users, edited, and deleted.
LDAP users
To import remote LDAP users:
- Go to Authentication > User Management > Remote Users, ensure that LDAP users is selected, and select Import.
- Select a server from the Remote LDAP server dropdown menu, then select Import users or Import users by group membership, and select Import.
An LDAP server must already be configured to select it in the dropdown menu. For information on adding a remote LDAP server, see Remote authentication servers. - Optionally, enter a Filter string to reduce the number of entries returned, and then select Apply, or select Clear to clear the filters.
Please note that the Member attribute field is only available if you select to Import users by group membership. Use this field to specify the filter by which users will be shown. In the example, the default attribute (member) will only show users that are members of groups (users must be part of member attribute of the groups). - The default configuration imports the attributes commonly associated with Microsoft Active Directory LDAP implementations. Select User Attributes to edit the remote LDAP user mapping attributes.
- Select the entries you want to import.
- Optionally, select a logo from the FortiToken Logo dropdown menu to associate the imported users with the specified logo. This logo is displayed beside the one-time password in FortiToken. See FortiTokens for more information.
- Optionally, select an IAM account from the IAM Account dropdown to associate the imported users with.
- Select OK.
The Import Remote LDAP Users or Import Remote LDAP Users by Group Memberships window opens in a new browser window.
Selecting the field FirstName, for example, presents a list of detected attributes that can be selected. This list is not exhaustive as additional, non-displayed attributes may be available for import. Consult your LDAP administrator for a full list of available attributes.
The amount of time required to import the remote users will vary depending on the number of users to import.
To add two-factor authentication to a remote LDAP user:
- Edit the remote user, select One-Time Password (OTP) authentication, and follow the same steps as when editing a local user (Editing a user).
- Configure the User Role, User Information, RADIUS Attributes, and Certificate Bindings for the user as needed.
- Select Save to apply the changes.
RADIUS users
To view remote RADIUS users, go to Authentication > User Management > Remote Users and select RADIUS users in the toolbar. See RADIUS for more information about remote RADIUS servers.
The following options are available (when remote RADIUS users are available to edit):
Create New | Select to create a new remote RADIUS user. |
Delete | Select to delete the selected user or users. |
Edit | Select to edit the selected user. |
Re-enable | Select to re-enable the status of a user that has been disabled. |
Migrate | Select to migrate the selected user or users. See To migrate RADIUS users to LDAP users:. |
Token | Select to either Enforce or Bypass One-Time Password (OTP) authentication for the selected user(s). |
Search | Search the remote RADIUS user list. |
Username | The remote user’s name. |
Remote RADIUS server | The remote RADIUS server where the user resides. |
Admin | Displays whether or not the user is configured as an administrator. |
Status | Displays whether or not the user is enabled or disabled. |
Token | The FortiToken used by the user, if applicable. |
Token Requested | Displays whether or not a FortiToken has been requested for the user. |
Enforce token-based authentication | Displays whether or not token-based authentication is enforced. |
To create a new remote RADIUS user:
- From the remote user list, select RADIUS users and select Create New.
- Enter the following information:
Remote RADIUS Select the remote RADIUS server on which the user will be created from. For more information on remote RADIUS servers, see RADIUS. Username Enter a username. Disabled
Enforce token-based authentication if configured below Select to enforce token-based authentication, if you are configuring token-based authentication. One-Time Password (OTP) authentication Select to configure One-Time Password (OTP) authentication.
FIDO authentication
Select to enable FIDO authentication. This is disabled by default for new user accounts.
Register FIDO key
Select to open the Add new Fido Key dialog, enter the FIDO key name, and click OK to register a FIDO key for the user.
Note: Use the Delete all FIDO keys button to delete all the registered FIDO keys.
Allow RADIUS authentication
Enable or disable RADIUS authentication.
Sync in HA Load Balancing mode
Select to sync the administrator across load-balanced FortiAuthenticator devices from the primary standalone device to load-balancers.
User Role Configure a remote user's role.
Select whether the remote user is either an Administrator (along with related permissions), Sponsor, or a regular User.
Role
Select Administrator, Sponsor, or User.
Full Permission
Enable to grant this administrator full permission, or enter an Admin profile in the field provided. This applies only to administrators.
Use backup password
Enable to set up a backup password to be used when the remote server is unreachable. This applies to administrator and sponsors only.
Restrict admin login from trusted management subnets only
Enable and enter trusted IP addresses and netmasks for restricted administrator login access. This applies to administrator and sponsors only.
User Information Enter user information as needed. The following options are available:
- Display name
- Email address
- Company
- Department
- Title
- Birthdate
- Mobile number and SMS gateway
- Language
- FortiToken Logo - see FortiTokens.
TACACS+
Add a TACACS+ authorization rule. See Assigning authorization rules.
Usage Information
View the user's usage information, including bytes in/out, time used, and the option to reset the usage statistics.
When allocated usage is reached, the user account is locked and needs to be unlocked manually by an admin or via API. Upon unlock, usage data is reset.
Certificate Bindings
Add, edit, or removed certificate bindings for the user account. See Configuring certificate bindings.
Select the certificate name to view the certificate, or select the Revoke Certificate button to revoke the certificate.For administrator and sponsor user roles, this field is available only when Sync in HA Load Balancing mode is enabled.
Devices
Add devices, based on MAC address, for the user account.
- Select Save to create the new remote RADIUS user.
To migrate RADIUS users to LDAP users:
- From the remote RADIUS users list (see Learned RADIUS users), select the user or users you need to migrate, then select Migrate from the toolbar.
- Select an LDAP server from the dropdown menu and select Next.
- Enter the distinguished names for the users to migrate, or browse the LDAP tree (see Directory tree overview) to find the users.
- Select Migrate to migrate the user or users.
SAML users
To view remote SAML users, go to Authentication > User Management > Remote Users and select SAML users.
To create a new remote SAML user:
- From the remote user list, select SAML users and select Create New.
- Enter the following information:
Remote SAML Select the remote SAML server on which the user will be created from. For more information on remote SAML servers, see SAML. Username Enter a username. Disabled Select to disable the user account. One-Time Password (OTP) authentication Select to configure One-Time Password (OTP) authentication.
User Information Enter user information as needed. The following options are available:
- Display name
- First name
- Last name
- Email address
- Mobile number and SMS gateway
- Company
- Department
- Title
- Birthdate
- Language
- FortiToken Logo - see FortiTokens.
- Select Save to create the new remote SAML user.
The Create New Remote SAML User window appears.
To import remote SAML users:
- From the remote user list, select SAML users, and select Import.
- Select the following:
Remote SAML server Select the remote SAML server on which the users will be imported from. For more information on remote SAML servers, see SAML. Group Select the SAML server group to import users from. - Select Save to import the remote SAML users.
The Import remote SAML Users window opens.
TACACS+ users
To view remote TACACS+ users, go to Authentication > User Management > Remote Users and select TACACS+ users in the toolbar. See TACACS+ for more information about the remote TACACS+ servers.
The following options are available (when remote TACACS+ users are available to edit):
Create New |
Select to create a new remote TACACS+ user. |
Delete |
Select to delete the selected user or users. |
Re-Enable |
Select to re-enable the status of a user that has been disabled. |
Search |
Search the remote TACACS+ user list. |
Username |
The remote user’s name. |
Remote TACACS+ Server |
The remote TACACS+ server where the user resides. |
Admin |
Displays whether or not the user is configured as an administrator. |
Status |
Displays whether or not the user is enabled or disabled. |
To create a new remote TACACS+ user:
- From the remote user list, select TACACS+ and select Create New.
The Create New Remote TACACS+ User window opens.
- Enter the following information:
Remote TACACS+ Server
Select the remote TACACS+ server on which the user will be created from. For more information on remote TACACS+ servers, see TACACS+.
Username
Enter a username.
Disabled
Select to disable the user account.
Sync in HA Load Balancing mode
Select to sync the administrator across load-balanced FortiAuthenticator devices from the primary standalone device to load-balancers.
User Role
Configure a remote user's role.
Role
Only Administrator role (along with related permissions) is available.
Full Permission
Enable to grant this administrator full permission, or enter an Admin profile in the field provided. This applies only to administrators.
Use backup password
Enable to set up a backup password to be used when the remote server is unreachable.
Enter the backup password and enter again to confirm.
This applies to administrators.
Restrict admin login from trusted management subnets only
Enable and enter trusted IP addresses and netmasks for restricted administrator login access. This applies to administrators.
- Click Save to create the new remote TACACS+ user.