General
To configure general account policy settings, go to Authentication > User Account Policies > General.
Configure the following settings:
To configure general account policy settings, go to Authentication > User Account Policies > General.
Configure the following settings:
To configure general account policy settings, go to Authentication > User Account Policies > General.
Configure the following settings:
Authentication Flow |
||||
|
PCI DSS 3.2 two-factor authentication |
Enable to always collect all authentication factors before indicating a success or failure. |
||
|
Request password reset after OTP verification |
Enable if password reset is required, a change password request is sent once the OTP is verified. |
||
Local User Password Storage |
||||
|
Enhanced cryptography |
When disabled, FortiAuthenticator uses AES256 encryption for local user passwords. When enabled, local user passwords are hashed using bcrypt. With enhanced cryptography, cleartext passwords can no longer be recovered, and authentication requests requiring cleartext passwords for validation will fail. Enhanced cryptography can be disabled within 30 days of being enabled. After 30 days it cannot be disabled. FortiAuthenticator sends an email reminder to the administrator before the end of the 30-day period. Local admin passwords are always hashed using bcrypt.
|
||
User Account Management |
||||
|
Automatically purge disabled user accounts |
Enable to automatically purge disabled user accounts. Select the frequency of the purge in the Frequency field: Hourly, Daily, Weekly, or Monthly. Enter the time of the purge in the Time field: Now to set the time to the current time, or select the clock icon to choose a time: Now, Midnight, 6 a.m., Noon, or 6 p.m. |
||
|
Purge users that are disabled due to the following reasons |
Set the reason for purging disabled users: Manually disabled, Login inactivity, Account expired, or Usage limit exceeded. |
||
|
Send message on remote LDAP account import |
Enable to send message to the user account when a remote LDAP account is imported. Note: When enabled, you can select Email and/or SMS. |
||
Session Expiry |
||||
|
Windows machine authentication |
Enter a time after which the login sessions timeout for Windows machine authentication using 802.1.X, from 5 to 10080 minutes (or five minutes to seven days). The default is set to 480 minutes. |
||
|
Inactive RADIUS accounting |
Enter a time after which RADIUS accounting sessions timeout, from 5 to 1440 minutes (or five minutes to one day). The default is set to 60 minutes. |
||
|
TACACS+ authentication |
The maximum time duration (in seconds) for which an authenticated TACACS+ user is authorized to issue commands, from 120 to 36000 seconds. The default is set to 28800 seconds. |
||
|
Discard stale RADIUS authentication requests |
Enable to select a time after which RADIUS authentication requests are considered stale and are discarded, from 3 - 360 seconds (or six minutes). The default is set to 8 seconds. |
||
Sponsor Portal |
||||
|
Each sponsor only has access to guest users they created |
Enable to allow sponsors to view only those guest users created by the sponsor. Note: This option is disabled by default. |