Fortinet white logo
Fortinet white logo

User Guide

Account Groups

Account Groups

The Account Groups are used to group user and device accounts and are assigned at the point of account creation. If no additional account groups are created, then user and device accounts are assigned to the default account group. An Authorization Profile is assigned via the Authorization Policy which may reference an account group as part of its mapping criteria. You can Clone the account group to reuse configurations.

  1. Navigate to Network Access Policies > Account Groups and click New.
  2. Enter a Name and Description for the account group and configure the following options.
  3. Configure the following Authentication Settings for member accounts.
  • Maximum concurrent connections - Specify the maximum number of concurrent connections allowed for each member account. A value of 0 implies an unlimited number of concurrent connections.
    Note: FortiGuest enforces this restriction only if Radius Accounting is enabled with interim updates on the NAS server, and the Accounting-interim-update attribute is added in the RADIUS client.
  • Maximum failed authentications - Specify the maximum number of failed authentication attempts allowed for each member account. A value of 0 implies an unlimited number of failed authentication attempts.
  • Allow password change - Select to allow member accounts to modify the configured passwords.
  • Require password change - Select to mandate password changes for member accounts.
    Note: Password change is not applicable on external user accounts. The account passwords should be reset on the respective database.
  • Enable user account lockout policy - Configure an account lockout period in case an existing user enters an incorrect password. The user can log in again after the lockout period is over.
  • Lockout Period - The valid range for the lockout period is 120 - 86400 seconds, the default is 120 seconds.
    When an account is locked, the status of the account appears Locked out in the Manage Accounts session.
  • Specify the Maximum number of different devices a user can register, that is, the maximum number of different devices a user can register for guest portal access. A value of 0 implies an unlimited number of device registrations.
  • Account Groups

    Account Groups

    The Account Groups are used to group user and device accounts and are assigned at the point of account creation. If no additional account groups are created, then user and device accounts are assigned to the default account group. An Authorization Profile is assigned via the Authorization Policy which may reference an account group as part of its mapping criteria. You can Clone the account group to reuse configurations.

    1. Navigate to Network Access Policies > Account Groups and click New.
    2. Enter a Name and Description for the account group and configure the following options.
    3. Configure the following Authentication Settings for member accounts.
    • Maximum concurrent connections - Specify the maximum number of concurrent connections allowed for each member account. A value of 0 implies an unlimited number of concurrent connections.
      Note: FortiGuest enforces this restriction only if Radius Accounting is enabled with interim updates on the NAS server, and the Accounting-interim-update attribute is added in the RADIUS client.
    • Maximum failed authentications - Specify the maximum number of failed authentication attempts allowed for each member account. A value of 0 implies an unlimited number of failed authentication attempts.
    • Allow password change - Select to allow member accounts to modify the configured passwords.
    • Require password change - Select to mandate password changes for member accounts.
      Note: Password change is not applicable on external user accounts. The account passwords should be reset on the respective database.
    • Enable user account lockout policy - Configure an account lockout period in case an existing user enters an incorrect password. The user can log in again after the lockout period is over.
    • Lockout Period - The valid range for the lockout period is 120 - 86400 seconds, the default is 120 seconds.
      When an account is locked, the status of the account appears Locked out in the Manage Accounts session.
  • Specify the Maximum number of different devices a user can register, that is, the maximum number of different devices a user can register for guest portal access. A value of 0 implies an unlimited number of device registrations.