Fortinet white logo
Fortinet white logo

Administration Guide

Local users

Local users

Local user accounts can be created, imported, exported, edited, and deleted as needed. Expired local user accounts can be purged manually or automatically (see User account policies).

To manage local user accounts, go to Authentication > User Management > Local Users.

The local user account list shows the following information:

Create New Select to create a new user.
Import

Select to import local user accounts from a CSV file or FortiGate configuration file.

If using a CSV file, it must have one record per line, with the following format:

username (30 characters max), display name (64 characters max), first name (30 characters max), last name (30 characters max), email (75 characters max), alternate emails (75 characters max; semicolon separated if multiple alternate emails), phone number (25 characters max), mobile number (25 characters max), street address, city, state/province, zip/postal code (16 characters max), country, company (64 characters max), department (64 characters max), title (64 characters max), birthdate, custom1, custom2, custom3, password (optional, 128 characters max), otp, otp-only, groups (semicolon separated if multiple groups).

If the optional password is left out of the import file, the user is emailed temporary login credentials and requested to configure a new password.

Note that even if an optional field is empty, it still must be defined with a comma.

Multiple groups can be separated by a semi-colon, e.g., g1;g2;g3.

Custom field must be predefined in User Account Policies. See Custom user fields.

A valid (configured) FortiToken serial number must be provided to disable password authentication and use FortiToken-based authentication only.

Click the Export option on the top to download a sample CSV file.

Fill in the file and use it to import users.

Import error handling: If any error is detected (e.g., duplicate user, invalid field, etc.), none of the local user accounts from the CSV file are created. For FortiAuthenticator to successfully add the imported local users from a CSV file to the specified groups:

  • All the specified local groups must already exist on the FortiAuthenticator.

  • If a line is missing the group field (e.g., CSV export from a previous FortiAuthenticator version), FortiAuthenticator assumes no group membership.

Use # at the start of a row if you want to comment out the row.

For example, in the sample CSV file that you can download by clicking Export on the top, the first row is commented out as it starts with #.

When importing local users from a CSV file, click + to expand Advanced options.

In Advanced options, you can select the action to take for existing accounts missing from the CSV file:

  • Keep user accounts

  • Disable user accounts

  • Delete user accounts

Export Select to export the user account list to a CSV file.

Delete

Select to delete the selected user account or accounts.

Edit Select to edit the selected user account.
Disabled Users
  • Re-enable: This allows the administrator to re-enable disabled accounts. Expired users accounts can only be re-enabled individually.

  • Purge Disabled: This offers the option to choose which type of disabled users to purge. All users matching the type(s) selection are deleted.

Search Enter a search term in the search field, then select Search to search the user account list.
User The user accounts’ usernames.
First name The user accounts’ first names, if included.
Last name The user accounts’ last names, if included.
Email address The user accounts’ email addresses, if included.
Admin If the user account is set as an administrator, a green circle with a check mark is shown.
Status If the user account is enabled, a green circle with a check mark is shown.
Token The token that is assigned to that user account. Select the token name to edit the FortiToken, see FortiToken device maintenance.
Token requested The status of the user's token request.
Groups The group or groups to which the user account belongs.
Authentication Methods The authentication method used for the user account.
Expiration The date and time that the user account expires, if an expiration date and time have been set for the account.

Adding a user

When creating a user account, there are three ways to handle the password:

  1. The administrator assigns a password immediately and communicates it to the user.
  2. FortiAuthenticator creates a random password and automatically emails it to the new user.
  3. No password is assigned because only One-Time Password (OTP) authentication will be used.
To add a new user:
  1. In the local users list, select Create New. The Create New Local User window opens.
  2. Enter the following information:
    UsernameEnter a username for the user.
    Password creation

    Select one of the options from the dropdown menu:

    • Specify a password: Manually enter a password in the Password field, then reenter the password in the Password confirmation field.
    • Set and email a random password: Enter an email address to which to send the password in the Email address field, then reenter the email address in the Confirm email address field.
    • No password, FortiToken authentication only: After you select OK, you will need to associate a FortiToken device with this user. See FortiToken physical device and FortiToken Mobile.
    Allow RADIUS authenticationFor a user to authenticate using RADIUS, this must be enabled.
    Force password change on next logonEnable or disable the option for users to change their local password on FortiAuthenticator at first logon. This feature prevents administrators from having to call or email the franchisee to deliver user credentials, which is not a secure method of delivery and adds additional time to the onboarding process.
    Role

    Select whether the new account is for an Administrator, Sponsor, or regular User. Administrators can either have full permissions or have specific administrator profiles applied. Regular users can have their account expiration settings configured.

    When creating a new administrator account, you are prompted to enter the password of the currently logged in administrator before changes can be saved.

    Enable account expirationSelect to enable user account expiration, either after a specific amount of time has elapsed, or on a specific date.
    Expire after

    Select when the account will expire:

    • Set length of time: Enter the number of hours, days, months, or years until the account expires.
    • Set an expire date: Enter the date on which the account will expire, either by manually typing it in, or by selecting the calendar icon and selecting a date.

    IAM

    Add this local user to an IAM account.

  3. Select Save to create the new user. You are redirected to the Change local user window to continue the user configuration in greater detail.
  4. If the password creation method was set to No password, FortiToken authentication only, you are required to associate a FortiToken with the user before the user can be enabled.

Editing a user

User accounts can be edited at any time. To edit a user, go to the user account list, select a user to edit, and select Edit from the toolbar. Conversely, select the username in the user list.

The following information can be viewed or configured:

Username The username cannot be changed.
Disabled Select to disable the user account.

Password authentication

Select to enable password authentication.

The user's password can be changed by selecting Change Password.

One-Time Password (OTP) authentication Select to enable FortiToken-based authentication. See Configuring One-Time Password (OTP) authentication.

FIDO authentication

Select to enable FIDO authentication. This is disabled by default for new user accounts.

Register FIDO key

Select to open the Add new Fido Key dialog, enter the FIDO key name, and click OK to register a FIDO key for the user.

Note: Use the Delete all FIDO keys button to delete all the registered FIDO keys.

Allow RADIUS authentication Select to allow RADIUS authentication. This applies only to regular users.
Enable account expiration Select to enable account expiration and specify the account's expiration. See Enable account expiration.

Force password change on next logon

Require the user to change their password on their next logon. Once changed, this setting will be automatically disabled again.

Sync in HA Load Balancing mode

Select to sync the administrator across load-balanced FortiAuthenticator devices from the primary standalone device to load-balancers.

User Role Configure the user’s role.
Role

Select Administrator, Sponsor, or User.

If setting a user as an administrator, see Configuring a user as an administrator.

Allow LDAP browsing Select to allow LDAP browsing. This applies only to regular users.
Full permission Enable to grant this administrator full permission, or enter an Admin profile in the field provided. This applies only to administrators.
Web service access

Enable to allow this administrator to access the web services either through a REST API or using a client application. This applies only to administrators.

After enabling Web service access and saving your changes, the User API Access Key window is displayed allowing you to view, copy, and/or email the API access key.

Restrict admin login from trusted management subnets only Enable and enter trusted IP addresses and netmasks for restricted administrator login access. This applies only to administrators.
User Information Enter user information, such as their address and phone number. See Adding user information.
Password Recovery Options Configure password recovery options for the user. See Configuring password recovery options
Groups Assign the user to one or more groups. See Local users.
Usage Information

View the user's usage information, including bytes in/out, time used, and the option to reset the usage statistics.

When allocated usage is reached, the user account is locked and needs to be unlocked manually by an admin or via API. Upon unlock, usage data is reset.

Email Routing Enter a mail host and routing address into their respective fields to configure email routing for the user.

TACACS+

Add a TACACS+ authorization rule. See Assigning authorization rules.

Alternative email addresses

Add alternate email addresses for the user.

Note

In LDAP, alternative email addresses are defined by the rfc822MailMember attribute.

Certificate Bindings

Add, edit, or removed certificate bindings for the user account. See Configuring certificate bindings.
Select the certificate name to view the certificate, or select the Revoke Certificate button to revoke the certificate.

For administrator and sponsor user roles, this field is available only when Sync in HA Load Balancing mode is enabled.

Devices Add devices, based on MAC address, for the user account.

RADIUS Attributes

Add RADIUS attributes. See RADIUS attributes.

For administrator and sponsor user roles, this field is available only when Sync in HA Load Balancing mode is enabled.

Select Save when you have finished editing the user’s information and settings.

Configuring One-Time Password (OTP) authentication

One-Time Password (OTP) authentication requires either a FortiToken device or a mobile device with the FortiToken Mobile app installed, or a device with either email or SMS capability.

FortiToken and FortiToken Mobile tokens must first be registered under Authentication > User Management > FortiTokens. For more information, see FortiTokens.

To configure an account for One-Time Password (OTP) authentication:
  1. To view the One-Time Password (OTP) authentication options, edit a user and select One-Time Password (OTP) authentication.
  2. Specify the source of tokens; FortiAuthenticator or FortiToken Cloud:
    1. When FortiAuthenticator is selected, select a token delivery method:
      1. FortiToken, then select the type of FortiToken used from the available options.
        1. Hardware, then select the FortiToken device serial number from the Token dropdown menu.
        2. Mobile, then select the FortiToken Mobile device serial number from Token dropdown menu, and select an Activation delivery method from Email, SMS, or Scan QR code.

          When editing a local/remote user with the Provision mode set to Offline in Tokens:

          • The edit user page only offers the Scan QR code Activation delivery method for FortiToken Mobile (no Email or SMS options) as the Deliver token code by option.

          The device must be known to FortiAuthenticator. See FortiToken physical device and FortiToken Mobile.

          Optionally, select Temporary token to receive a temporary token code via email or SMS.

          The Temporary token option is meant as a backup token delivery method when FortiToken Hardware/Mobile are the primary delivery methods.

          When emergency codes are enabled in Tokens, you can view emergency codes from within the user account by clicking Display Emergency Code if FortiToken is provisioned for the account.

          If the Temporary token is enabled with Email or SMS, the user configured for 2FA receives an OTP via email or SMS when attempting a 2FA login. This helps the user access the network with a temporary OTP in case they do not have access to their phone or a hardware token.

          The temporary token based authentication is automatically disabled the next time the end-user does a successful login using their FTK/FTM.

      2. Email, then enter the user’s email address in the User Information section.
      3. SMS, then enter the user’s mobile number in the User Information section.
      4. Dual (Email & SMS), then enter the user's email address and mobile number in the User Information section.
      5. Select Test Token to validate the token passcode. The Test Email Token or Test SMS Token window opens (depending on your selection).
        • For email and SMS tokens, confirm that the contact information is correct, select Next, then enter the token code received via email or SMS.
        • Select Back to return to edit the contact information, select Verify to verify the token passcode, or select Resend Code if a new code is required.
        • For FortiToken, enter the token code in the Token code field, then select Verify to verify the token passcode.
    2. When FortiToken Cloud is selected, select a token delivery method:
      1. Default, the user is assigned the default token code delivery option configured on the FortiToken Cloud side.

        If the default is FortiToken Mobile, the activation code delivery method is also the default configured on the FortiToken Cloud side.

        If the default provisioning is successful, FortiAuthenticator tells the FortiAuthenticator administrator about the result of the provisioning and logs it:

        • FortiToken Cloud provisioned with FortiToken Hardware <serial number>.

        • FortiToken Cloud provisioned with FortiToken Mobile. The user was notified by <email/SMS>.

        • FortiToken Cloud provisioned with email OTP.

        • FortiToken Cloud provisioned with SMS OTP.

        FortiAuthenticator informs the FortiAuthenticator admin if there is a missing user account field, e.g., email address.

      2. FortiToken, then select the type of FortiToken used from the available options.
        1. Hardware, then FortiToken Cloud randomly assigns an FTK from its pool of available FTKs.

          If the provisioning is successful, FortiAuthenticator tells the FortiAuthenticator administrator about the result of the provisioning and logs it as FortiToken Cloud provisioned with FortiToken Hardware <serial number>.

          FortiAuthenticator informs the administrator in case of a provisioning error.

        2. Mobile, then FortiToken Cloud randomly assigns an FortiToken Mobile token from its pool of available FortiToken Mobile tokens. Select an Activation delivery method from Default, Email, and SMS.

          If the provisioning is successful, FortiAuthenticator tells the FortiAuthenticator administrator about the result of the provisioning and logs it as FortiToken Cloud provisioned with FortiToken Mobile. The user was notified by <email/SMS>.

          FortiAuthenticator informs the administrator in case of a provisioning error.

      3. Email, then enter the user’s email address in the User Information section.

        If the provisioning is successful, FortiAuthenticator tells the FortiAuthenticator administrator about the result of the provisioning and logs it as FortiToken Cloud provisioned with email OTP.

        FortiAuthenticator informs the administrator in case of a provisioning error.

      4. SMS, then enter the user’s mobile number in the User Information section.

        If the provisioning is successful, FortiAuthenticator tells the FortiAuthenticator administrator about the result of the provisioning and logs it as FortiToken Cloud provisioned with SMS OTP.

        FortiAuthenticator informs the administrator in case of a provisioning error.

  3. Click Save.

    Since a user's FortiToken Cloud token code delivery method can be changed at any point from the FortiToken Cloud portal, FortiAuthenticator does not save the FortiToken Cloud token code delivery method in its config database. Instead, FortiAuthenticator queries FortiToken Cloud API whenever the FortiAuthenticator administrator requests to see the FortiToken Cloud token code delivery method.

    When editing a user account with FortiToken Cloud OTP enabled, FortiAuthenticator does not automatically show token code delivery options. Select Show delivery options to see the token delivery options in the same format as when first enabling FortiToken Cloud OTP.

    If the administrator changes the token code delivery option, FortiToken Cloud is updated with the new token code delivery method.

    By default, token code verification must be completed within 60 seconds after the token code is sent by email or SMS. To change this timeout, go to Authentication > User Account Polices > Tokens and modify the Email/SMS Token timeout field. For more information, see Lockouts.

Configuring a user as an administrator

For more information, see Administrators.

To set a user as an administrator:
  1. Edit a user and set Role to Administrator under the User Role section.
  2. Enable Full permission to give the administrator full administrative privileges, or enter Admin profiles to customize the administrator’s permissions.
  3. Optionally, enable Web service access to allow the administrator to access the web services via a REST API or FortiAuthenticator Agent for Microsoft Windows.
  4. Select Restrict admin login from trusted management subnets only, then enter the IP addresses and netmasks of trusted management subnets in the table, to restrict the subnets from which an administrator can log in.
  5. Select Sync in HA Load Balancing mode to allow the administrator to be synced from the primary standalone device to load balancers in an HA load balancing configuration.
  6. Select Save to save your changes.
    A dialog appears requesting the password for the currently logged in admin account. Enter your password and click Verify.

Adding user information

Some user information can be required depending on how the user is configured. For example, if the user is using One-Time Password (OTP) authentication by SMS, a mobile number and SMS gateway must be configured before the user can be enabled.

The following user information can be entered:

Display name

First name Last name
Email Phone number
Mobile number SMS gateway: select from the dropdown menu. Select Test SMS to send a test message.
Street address
City State/Province

Postal Code

Country: Select from the dropdown menu.

Company

Department

Title

Birthdate: Select the calendar icon and then use the dropdowns to select a date.

Language: Select a specific language from the dropdown menu, or use the default language.
FortiToken Logo: Select a FortiToken Mobile logo from the dropdown menu. See FortiTokens.

When editing a local/remote user with the Provision mode set to Offline in Tokens, you are not required to add an Email.

Configuring password recovery options

To replace a lost or forgotten password, FortiAuthenticator can send the user a password recovery link by email or in a browser in response to a pre-arranged security question. The user must then set a new password.

To configure password recovery by email:
  1. Edit a user and ensure that the user has an email address entered. See Adding user information.
  2. Under Password Recovery Options section, enable Email recovery.
    In the event that additional email addresses have been configured under Alternative Email Addresses, an email is sent to all configured email addresses.
  3. Select Save to apply the changes.
To configure password recovery by security question:
  1. Edit a user and, under Password Recovery Options, enable Security question, and select Edit.
  2. Enter the administrator password and click Verify.
  3. Choose one of the questions from the dropdown menu, or select Write my own question and enter a question in the Custom question field.
  4. Enter the answer for the question in the Answer field.
  5. Select Save to create the security question.
  6. Select Save again to apply the changes to the user account.
How the user can configure password recovery by security question:
  1. Log in to the user account.
  2. Select Edit Profile at the top left of the page.
  3. Under Password Recovery Options, select Security Question, and select Edit.
  4. Choose one of the questions in the list, or select Write my own question and enter a question in the Custom question field.
  5. Enter the answer for your question.
  6. Select Save.
How the user can configure password recovery by email:
  1. Log in to the user account.
  2. Select Edit Profile at the top left of the page.
  3. Under Password Recovery Options, select Email recovery.
  4. Optionally, select Alternative email addresses and enter additional email addresses for this user.
  5. Select Save.
How the user recovers from a lost password:
  1. Browse to the IP address of the FortiAuthenticator.
  2. Security policies must be in place on the FortiGate unit to establish these sessions.

  3. At the login screen, select Forgot password?.
  4. Select to recover your password either by Username or Email.
  5. Enter either your username or email address as selected in the previous step, and select Next.
  6. This information is used to select the user account. If your information does not match a user account, password recovery cannot be completed.

  7. Do one of the following:
    • If an email address was entered, check your email, open the email and select the password recovery link.
    • If a username was entered, answer the security question and select Next.
  8. On the Reset Password page, enter and confirm a new password and select Next.
  9. The user can now authenticate using the new password.

Active Directory users password reset

To allow Active Directory (AD) users to reset their password from the main login page, follow the same workflow for resetting a local user's password described above.

The Password Recovery Options setting is included in the remote LDAP users configuration page.

This feature is available for both self-service and guest portals.

Configuring certificate bindings

To use a local certificate as part of authenticating a user, you need to:

  • Create a user certificate for the user (see To create a new certificate: for more information).
  • Create a binding to that certificate in the user’s account.
To create a binding to a certificate in a user’s account:
  1. Edit a user and expand the Certificate Bindings section.
  2. Select Add Certificate Binding.
  3. Select either a local CA or a trusted CA from the Issuer dropdown.
  4. Enter the Common Name on the certificate. For example, if the certificate says CN=rgreen then enter rgreen.
  5. Select Save to add the new binding.

Local user account password storage

FortiAuthenticator protects local user account passwords in its storage using cryptography:

  • Password storage for local user accounts with the "sponsor" or "administrator" role always uses irreversible cryptography (i.e. bcrypt hash).
  • Password storage for local user accounts with the "user" role depends on the Enhanced cryptography for storage of local user passwords option under Authentication > User Account Policies > General:
    • If enabled, irreversible cryptography (i.e. bcrypt hash) is used.
    • If disabled, reversible cryptography (i.e. AES256) is used.

Local users

Local users

Local user accounts can be created, imported, exported, edited, and deleted as needed. Expired local user accounts can be purged manually or automatically (see User account policies).

To manage local user accounts, go to Authentication > User Management > Local Users.

The local user account list shows the following information:

Create New Select to create a new user.
Import

Select to import local user accounts from a CSV file or FortiGate configuration file.

If using a CSV file, it must have one record per line, with the following format:

username (30 characters max), display name (64 characters max), first name (30 characters max), last name (30 characters max), email (75 characters max), alternate emails (75 characters max; semicolon separated if multiple alternate emails), phone number (25 characters max), mobile number (25 characters max), street address, city, state/province, zip/postal code (16 characters max), country, company (64 characters max), department (64 characters max), title (64 characters max), birthdate, custom1, custom2, custom3, password (optional, 128 characters max), otp, otp-only, groups (semicolon separated if multiple groups).

If the optional password is left out of the import file, the user is emailed temporary login credentials and requested to configure a new password.

Note that even if an optional field is empty, it still must be defined with a comma.

Multiple groups can be separated by a semi-colon, e.g., g1;g2;g3.

Custom field must be predefined in User Account Policies. See Custom user fields.

A valid (configured) FortiToken serial number must be provided to disable password authentication and use FortiToken-based authentication only.

Click the Export option on the top to download a sample CSV file.

Fill in the file and use it to import users.

Import error handling: If any error is detected (e.g., duplicate user, invalid field, etc.), none of the local user accounts from the CSV file are created. For FortiAuthenticator to successfully add the imported local users from a CSV file to the specified groups:

  • All the specified local groups must already exist on the FortiAuthenticator.

  • If a line is missing the group field (e.g., CSV export from a previous FortiAuthenticator version), FortiAuthenticator assumes no group membership.

Use # at the start of a row if you want to comment out the row.

For example, in the sample CSV file that you can download by clicking Export on the top, the first row is commented out as it starts with #.

When importing local users from a CSV file, click + to expand Advanced options.

In Advanced options, you can select the action to take for existing accounts missing from the CSV file:

  • Keep user accounts

  • Disable user accounts

  • Delete user accounts

Export Select to export the user account list to a CSV file.

Delete

Select to delete the selected user account or accounts.

Edit Select to edit the selected user account.
Disabled Users
  • Re-enable: This allows the administrator to re-enable disabled accounts. Expired users accounts can only be re-enabled individually.

  • Purge Disabled: This offers the option to choose which type of disabled users to purge. All users matching the type(s) selection are deleted.

Search Enter a search term in the search field, then select Search to search the user account list.
User The user accounts’ usernames.
First name The user accounts’ first names, if included.
Last name The user accounts’ last names, if included.
Email address The user accounts’ email addresses, if included.
Admin If the user account is set as an administrator, a green circle with a check mark is shown.
Status If the user account is enabled, a green circle with a check mark is shown.
Token The token that is assigned to that user account. Select the token name to edit the FortiToken, see FortiToken device maintenance.
Token requested The status of the user's token request.
Groups The group or groups to which the user account belongs.
Authentication Methods The authentication method used for the user account.
Expiration The date and time that the user account expires, if an expiration date and time have been set for the account.

Adding a user

When creating a user account, there are three ways to handle the password:

  1. The administrator assigns a password immediately and communicates it to the user.
  2. FortiAuthenticator creates a random password and automatically emails it to the new user.
  3. No password is assigned because only One-Time Password (OTP) authentication will be used.
To add a new user:
  1. In the local users list, select Create New. The Create New Local User window opens.
  2. Enter the following information:
    UsernameEnter a username for the user.
    Password creation

    Select one of the options from the dropdown menu:

    • Specify a password: Manually enter a password in the Password field, then reenter the password in the Password confirmation field.
    • Set and email a random password: Enter an email address to which to send the password in the Email address field, then reenter the email address in the Confirm email address field.
    • No password, FortiToken authentication only: After you select OK, you will need to associate a FortiToken device with this user. See FortiToken physical device and FortiToken Mobile.
    Allow RADIUS authenticationFor a user to authenticate using RADIUS, this must be enabled.
    Force password change on next logonEnable or disable the option for users to change their local password on FortiAuthenticator at first logon. This feature prevents administrators from having to call or email the franchisee to deliver user credentials, which is not a secure method of delivery and adds additional time to the onboarding process.
    Role

    Select whether the new account is for an Administrator, Sponsor, or regular User. Administrators can either have full permissions or have specific administrator profiles applied. Regular users can have their account expiration settings configured.

    When creating a new administrator account, you are prompted to enter the password of the currently logged in administrator before changes can be saved.

    Enable account expirationSelect to enable user account expiration, either after a specific amount of time has elapsed, or on a specific date.
    Expire after

    Select when the account will expire:

    • Set length of time: Enter the number of hours, days, months, or years until the account expires.
    • Set an expire date: Enter the date on which the account will expire, either by manually typing it in, or by selecting the calendar icon and selecting a date.

    IAM

    Add this local user to an IAM account.

  3. Select Save to create the new user. You are redirected to the Change local user window to continue the user configuration in greater detail.
  4. If the password creation method was set to No password, FortiToken authentication only, you are required to associate a FortiToken with the user before the user can be enabled.

Editing a user

User accounts can be edited at any time. To edit a user, go to the user account list, select a user to edit, and select Edit from the toolbar. Conversely, select the username in the user list.

The following information can be viewed or configured:

Username The username cannot be changed.
Disabled Select to disable the user account.

Password authentication

Select to enable password authentication.

The user's password can be changed by selecting Change Password.

One-Time Password (OTP) authentication Select to enable FortiToken-based authentication. See Configuring One-Time Password (OTP) authentication.

FIDO authentication

Select to enable FIDO authentication. This is disabled by default for new user accounts.

Register FIDO key

Select to open the Add new Fido Key dialog, enter the FIDO key name, and click OK to register a FIDO key for the user.

Note: Use the Delete all FIDO keys button to delete all the registered FIDO keys.

Allow RADIUS authentication Select to allow RADIUS authentication. This applies only to regular users.
Enable account expiration Select to enable account expiration and specify the account's expiration. See Enable account expiration.

Force password change on next logon

Require the user to change their password on their next logon. Once changed, this setting will be automatically disabled again.

Sync in HA Load Balancing mode

Select to sync the administrator across load-balanced FortiAuthenticator devices from the primary standalone device to load-balancers.

User Role Configure the user’s role.
Role

Select Administrator, Sponsor, or User.

If setting a user as an administrator, see Configuring a user as an administrator.

Allow LDAP browsing Select to allow LDAP browsing. This applies only to regular users.
Full permission Enable to grant this administrator full permission, or enter an Admin profile in the field provided. This applies only to administrators.
Web service access

Enable to allow this administrator to access the web services either through a REST API or using a client application. This applies only to administrators.

After enabling Web service access and saving your changes, the User API Access Key window is displayed allowing you to view, copy, and/or email the API access key.

Restrict admin login from trusted management subnets only Enable and enter trusted IP addresses and netmasks for restricted administrator login access. This applies only to administrators.
User Information Enter user information, such as their address and phone number. See Adding user information.
Password Recovery Options Configure password recovery options for the user. See Configuring password recovery options
Groups Assign the user to one or more groups. See Local users.
Usage Information

View the user's usage information, including bytes in/out, time used, and the option to reset the usage statistics.

When allocated usage is reached, the user account is locked and needs to be unlocked manually by an admin or via API. Upon unlock, usage data is reset.

Email Routing Enter a mail host and routing address into their respective fields to configure email routing for the user.

TACACS+

Add a TACACS+ authorization rule. See Assigning authorization rules.

Alternative email addresses

Add alternate email addresses for the user.

Note

In LDAP, alternative email addresses are defined by the rfc822MailMember attribute.

Certificate Bindings

Add, edit, or removed certificate bindings for the user account. See Configuring certificate bindings.
Select the certificate name to view the certificate, or select the Revoke Certificate button to revoke the certificate.

For administrator and sponsor user roles, this field is available only when Sync in HA Load Balancing mode is enabled.

Devices Add devices, based on MAC address, for the user account.

RADIUS Attributes

Add RADIUS attributes. See RADIUS attributes.

For administrator and sponsor user roles, this field is available only when Sync in HA Load Balancing mode is enabled.

Select Save when you have finished editing the user’s information and settings.

Configuring One-Time Password (OTP) authentication

One-Time Password (OTP) authentication requires either a FortiToken device or a mobile device with the FortiToken Mobile app installed, or a device with either email or SMS capability.

FortiToken and FortiToken Mobile tokens must first be registered under Authentication > User Management > FortiTokens. For more information, see FortiTokens.

To configure an account for One-Time Password (OTP) authentication:
  1. To view the One-Time Password (OTP) authentication options, edit a user and select One-Time Password (OTP) authentication.
  2. Specify the source of tokens; FortiAuthenticator or FortiToken Cloud:
    1. When FortiAuthenticator is selected, select a token delivery method:
      1. FortiToken, then select the type of FortiToken used from the available options.
        1. Hardware, then select the FortiToken device serial number from the Token dropdown menu.
        2. Mobile, then select the FortiToken Mobile device serial number from Token dropdown menu, and select an Activation delivery method from Email, SMS, or Scan QR code.

          When editing a local/remote user with the Provision mode set to Offline in Tokens:

          • The edit user page only offers the Scan QR code Activation delivery method for FortiToken Mobile (no Email or SMS options) as the Deliver token code by option.

          The device must be known to FortiAuthenticator. See FortiToken physical device and FortiToken Mobile.

          Optionally, select Temporary token to receive a temporary token code via email or SMS.

          The Temporary token option is meant as a backup token delivery method when FortiToken Hardware/Mobile are the primary delivery methods.

          When emergency codes are enabled in Tokens, you can view emergency codes from within the user account by clicking Display Emergency Code if FortiToken is provisioned for the account.

          If the Temporary token is enabled with Email or SMS, the user configured for 2FA receives an OTP via email or SMS when attempting a 2FA login. This helps the user access the network with a temporary OTP in case they do not have access to their phone or a hardware token.

          The temporary token based authentication is automatically disabled the next time the end-user does a successful login using their FTK/FTM.

      2. Email, then enter the user’s email address in the User Information section.
      3. SMS, then enter the user’s mobile number in the User Information section.
      4. Dual (Email & SMS), then enter the user's email address and mobile number in the User Information section.
      5. Select Test Token to validate the token passcode. The Test Email Token or Test SMS Token window opens (depending on your selection).
        • For email and SMS tokens, confirm that the contact information is correct, select Next, then enter the token code received via email or SMS.
        • Select Back to return to edit the contact information, select Verify to verify the token passcode, or select Resend Code if a new code is required.
        • For FortiToken, enter the token code in the Token code field, then select Verify to verify the token passcode.
    2. When FortiToken Cloud is selected, select a token delivery method:
      1. Default, the user is assigned the default token code delivery option configured on the FortiToken Cloud side.

        If the default is FortiToken Mobile, the activation code delivery method is also the default configured on the FortiToken Cloud side.

        If the default provisioning is successful, FortiAuthenticator tells the FortiAuthenticator administrator about the result of the provisioning and logs it:

        • FortiToken Cloud provisioned with FortiToken Hardware <serial number>.

        • FortiToken Cloud provisioned with FortiToken Mobile. The user was notified by <email/SMS>.

        • FortiToken Cloud provisioned with email OTP.

        • FortiToken Cloud provisioned with SMS OTP.

        FortiAuthenticator informs the FortiAuthenticator admin if there is a missing user account field, e.g., email address.

      2. FortiToken, then select the type of FortiToken used from the available options.
        1. Hardware, then FortiToken Cloud randomly assigns an FTK from its pool of available FTKs.

          If the provisioning is successful, FortiAuthenticator tells the FortiAuthenticator administrator about the result of the provisioning and logs it as FortiToken Cloud provisioned with FortiToken Hardware <serial number>.

          FortiAuthenticator informs the administrator in case of a provisioning error.

        2. Mobile, then FortiToken Cloud randomly assigns an FortiToken Mobile token from its pool of available FortiToken Mobile tokens. Select an Activation delivery method from Default, Email, and SMS.

          If the provisioning is successful, FortiAuthenticator tells the FortiAuthenticator administrator about the result of the provisioning and logs it as FortiToken Cloud provisioned with FortiToken Mobile. The user was notified by <email/SMS>.

          FortiAuthenticator informs the administrator in case of a provisioning error.

      3. Email, then enter the user’s email address in the User Information section.

        If the provisioning is successful, FortiAuthenticator tells the FortiAuthenticator administrator about the result of the provisioning and logs it as FortiToken Cloud provisioned with email OTP.

        FortiAuthenticator informs the administrator in case of a provisioning error.

      4. SMS, then enter the user’s mobile number in the User Information section.

        If the provisioning is successful, FortiAuthenticator tells the FortiAuthenticator administrator about the result of the provisioning and logs it as FortiToken Cloud provisioned with SMS OTP.

        FortiAuthenticator informs the administrator in case of a provisioning error.

  3. Click Save.

    Since a user's FortiToken Cloud token code delivery method can be changed at any point from the FortiToken Cloud portal, FortiAuthenticator does not save the FortiToken Cloud token code delivery method in its config database. Instead, FortiAuthenticator queries FortiToken Cloud API whenever the FortiAuthenticator administrator requests to see the FortiToken Cloud token code delivery method.

    When editing a user account with FortiToken Cloud OTP enabled, FortiAuthenticator does not automatically show token code delivery options. Select Show delivery options to see the token delivery options in the same format as when first enabling FortiToken Cloud OTP.

    If the administrator changes the token code delivery option, FortiToken Cloud is updated with the new token code delivery method.

    By default, token code verification must be completed within 60 seconds after the token code is sent by email or SMS. To change this timeout, go to Authentication > User Account Polices > Tokens and modify the Email/SMS Token timeout field. For more information, see Lockouts.

Configuring a user as an administrator

For more information, see Administrators.

To set a user as an administrator:
  1. Edit a user and set Role to Administrator under the User Role section.
  2. Enable Full permission to give the administrator full administrative privileges, or enter Admin profiles to customize the administrator’s permissions.
  3. Optionally, enable Web service access to allow the administrator to access the web services via a REST API or FortiAuthenticator Agent for Microsoft Windows.
  4. Select Restrict admin login from trusted management subnets only, then enter the IP addresses and netmasks of trusted management subnets in the table, to restrict the subnets from which an administrator can log in.
  5. Select Sync in HA Load Balancing mode to allow the administrator to be synced from the primary standalone device to load balancers in an HA load balancing configuration.
  6. Select Save to save your changes.
    A dialog appears requesting the password for the currently logged in admin account. Enter your password and click Verify.

Adding user information

Some user information can be required depending on how the user is configured. For example, if the user is using One-Time Password (OTP) authentication by SMS, a mobile number and SMS gateway must be configured before the user can be enabled.

The following user information can be entered:

Display name

First name Last name
Email Phone number
Mobile number SMS gateway: select from the dropdown menu. Select Test SMS to send a test message.
Street address
City State/Province

Postal Code

Country: Select from the dropdown menu.

Company

Department

Title

Birthdate: Select the calendar icon and then use the dropdowns to select a date.

Language: Select a specific language from the dropdown menu, or use the default language.
FortiToken Logo: Select a FortiToken Mobile logo from the dropdown menu. See FortiTokens.

When editing a local/remote user with the Provision mode set to Offline in Tokens, you are not required to add an Email.

Configuring password recovery options

To replace a lost or forgotten password, FortiAuthenticator can send the user a password recovery link by email or in a browser in response to a pre-arranged security question. The user must then set a new password.

To configure password recovery by email:
  1. Edit a user and ensure that the user has an email address entered. See Adding user information.
  2. Under Password Recovery Options section, enable Email recovery.
    In the event that additional email addresses have been configured under Alternative Email Addresses, an email is sent to all configured email addresses.
  3. Select Save to apply the changes.
To configure password recovery by security question:
  1. Edit a user and, under Password Recovery Options, enable Security question, and select Edit.
  2. Enter the administrator password and click Verify.
  3. Choose one of the questions from the dropdown menu, or select Write my own question and enter a question in the Custom question field.
  4. Enter the answer for the question in the Answer field.
  5. Select Save to create the security question.
  6. Select Save again to apply the changes to the user account.
How the user can configure password recovery by security question:
  1. Log in to the user account.
  2. Select Edit Profile at the top left of the page.
  3. Under Password Recovery Options, select Security Question, and select Edit.
  4. Choose one of the questions in the list, or select Write my own question and enter a question in the Custom question field.
  5. Enter the answer for your question.
  6. Select Save.
How the user can configure password recovery by email:
  1. Log in to the user account.
  2. Select Edit Profile at the top left of the page.
  3. Under Password Recovery Options, select Email recovery.
  4. Optionally, select Alternative email addresses and enter additional email addresses for this user.
  5. Select Save.
How the user recovers from a lost password:
  1. Browse to the IP address of the FortiAuthenticator.
  2. Security policies must be in place on the FortiGate unit to establish these sessions.

  3. At the login screen, select Forgot password?.
  4. Select to recover your password either by Username or Email.
  5. Enter either your username or email address as selected in the previous step, and select Next.
  6. This information is used to select the user account. If your information does not match a user account, password recovery cannot be completed.

  7. Do one of the following:
    • If an email address was entered, check your email, open the email and select the password recovery link.
    • If a username was entered, answer the security question and select Next.
  8. On the Reset Password page, enter and confirm a new password and select Next.
  9. The user can now authenticate using the new password.

Active Directory users password reset

To allow Active Directory (AD) users to reset their password from the main login page, follow the same workflow for resetting a local user's password described above.

The Password Recovery Options setting is included in the remote LDAP users configuration page.

This feature is available for both self-service and guest portals.

Configuring certificate bindings

To use a local certificate as part of authenticating a user, you need to:

  • Create a user certificate for the user (see To create a new certificate: for more information).
  • Create a binding to that certificate in the user’s account.
To create a binding to a certificate in a user’s account:
  1. Edit a user and expand the Certificate Bindings section.
  2. Select Add Certificate Binding.
  3. Select either a local CA or a trusted CA from the Issuer dropdown.
  4. Enter the Common Name on the certificate. For example, if the certificate says CN=rgreen then enter rgreen.
  5. Select Save to add the new binding.

Local user account password storage

FortiAuthenticator protects local user account passwords in its storage using cryptography:

  • Password storage for local user accounts with the "sponsor" or "administrator" role always uses irreversible cryptography (i.e. bcrypt hash).
  • Password storage for local user accounts with the "user" role depends on the Enhanced cryptography for storage of local user passwords option under Authentication > User Account Policies > General:
    • If enabled, irreversible cryptography (i.e. bcrypt hash) is used.
    • If disabled, reversible cryptography (i.e. AES256) is used.