Fortinet Document Library

Version:


Table of Contents

User Guide

21.4.0
Copy Link

System login

When a user attempts to log in to the system, the local user database is consulted.
If a corresponding account is found, the authentication method of that account is used to check the password.

For locally authenticated accounts, the password is simply checked against the local user database.
If the password is correct, user is logged in.

If Radius is enabled, a Radius Access Request is performed.
If Radius responds with an Access Accept message, the user is logged in to the system.

If the Radius client in the NCM is not enabled, authentication for this user fails.

Access accounting

After a successful login, an accounting record is always created in the local database.
Even Radius-based logins are accounted in the local DB. 

If Radius is enabled, an Radius Accounting Request is performed. The failure of Radius accounting is not considered as an error.
This means a user will be allowed to log-in, even if Radius accounting fails.

This is done because even logins using the local database are accounted against Radius (if Radius is enabled).
If the NCM did not allow allow login after Radius accounting failed, system access would not be possible in case of Radius failure.

An accounting record in the local DB is always created, so this mechanism does not compromise the auditability of the system access.

System login

When a user attempts to log in to the system, the local user database is consulted.
If a corresponding account is found, the authentication method of that account is used to check the password.

For locally authenticated accounts, the password is simply checked against the local user database.
If the password is correct, user is logged in.

If Radius is enabled, a Radius Access Request is performed.
If Radius responds with an Access Accept message, the user is logged in to the system.

If the Radius client in the NCM is not enabled, authentication for this user fails.

Access accounting

After a successful login, an accounting record is always created in the local database.
Even Radius-based logins are accounted in the local DB. 

If Radius is enabled, an Radius Accounting Request is performed. The failure of Radius accounting is not considered as an error.
This means a user will be allowed to log-in, even if Radius accounting fails.

This is done because even logins using the local database are accounted against Radius (if Radius is enabled).
If the NCM did not allow allow login after Radius accounting failed, system access would not be possible in case of Radius failure.

An accounting record in the local DB is always created, so this mechanism does not compromise the auditability of the system access.