Fortinet white logo
Fortinet white logo

Administration Guide

Configure authentication credentials

Configure authentication credentials

Authentication Credentials for Standard Users are configured in the Portal Configuration Content Editor tab under Global > Settings > Standard User Authentication Type. If Portal Version 1 is enabled, Authentication Credentials are configured on the Version 1 Settings tab. These options control how the system validates user credentials for the following login categories:

  • Standard Users—Users that are assigned their own user names and passwords for logging onto the network on a regular basis. These users might include employees, students, and administrators.
  • Common Account—Generic account that does not require guests to enter a user name and password, if enabled. Available for Portal Version 1 Only.

    The Common Account option is only available for appliances with firmware images 2.2.0.x through 2.3.2.x.

    The Version 1 Settings tab is only available if the Use Portal Version 1 option is enabled on the General tab of the Portal Configuration window.

Authenticate standard users

Valid users are allowed to access certain network areas on a regular basis. Authentication type is set differently depending on the configuration of your portal pages. Typically, authentication type is set through the Content Editor under Global > Settings > Standard User Authentication Type. If you have enabled the Use Portal Version 1 option on the Portal Page Configuration window, authentication is set on the Version 1 Settings tab of that window.

If you are using the Persistent Agent to scan hosts against security policies, the authentication method selected for the Persistent Agent must match the authentication method selected here. See Credential configuration.

Authentication types include:

  • Local — Validates the user to a database on the local FortiNAC. Use this option if you plan to enter a list of registered users.
  • Local/Device — Validates the user, but registers the host as the device with no owner.
  • LDAP — Validates the user to a directory database. FortiNAC uses the LDAP protocol to communicate to an organization’s directory.
  • LDAP/Device — Validates the user to a directory database, but registers the host as the device with no owner.
  • RADIUS — Validates the user to a RADIUS server. PAP encryption must be set up on the RADIUS server for encryption/decryption of user names and passwords that are sent to and from FortiNAC, such as the user name and password for the Validation Account used for communication between FortiNAC and the RADIUS server.
  • RADIUS/LDAP — Validates the user to a RADIUS server, but registers the user based on data contained in an LDAP server. If the user is successfully authenticated by the RADIUS server but does not exist in the LDAP database, FortiNAC will still create the user record in its own database.
  • RADIUS/Device — Validates the user to a RADIUS server, but registers the host as a device with no owner.
  • HTTP User — Delegates user validation to HTTP Authentication. Registers to, creating if necessary, a user in the local FortiNAC database.
  • HTTP User/LDAP — Delegates the user validation to HTTP Authentication, but registers the user based on data contained in an LDAP server. If the user is successfully authenticated but does not exist in the LDAP database, FortiNAC will still create the user record in its own database.
  • HTTP User/Device — Delegates user validation to HTTP Authentication, but registers the host as a device with no owner.
  • Google — Requires Agent 3.3 and above. Enables the user to log in with a Google account.
  • Google/Device — Requires Agent 3.3 and above. Enables the user to log in with a Google account, but registers the host as a device with no owner.
  • None/Device — Requires Agent 3.3 and above. Allows user to register without a username and password. Registers the host as a device with no owner.

Assign an authentication type

  1. Select System > Portal Configuration.
  2. If Use Portal Version 1 is not enabled, click on the Content Editor tab.
  3. If you have created more than one portal, select the portal to be edited from the drop-down list at the bottom of the view.
  4. Click the Global option in the tree on the left to expand it. Under Global, select Settings. In the pane on the right locate the Standard User Authentication field and select Local, LDAP, RADIUS, RADIUS/LDAP, HTTP User or HTTP User/LDAP from the drop-down menu.
  5. In the tree on the left select Registration > Login Menu. Make sure that Standard User Login is enabled.
  6. Click Apply.

Configure authentication credentials

Configure authentication credentials

Authentication Credentials for Standard Users are configured in the Portal Configuration Content Editor tab under Global > Settings > Standard User Authentication Type. If Portal Version 1 is enabled, Authentication Credentials are configured on the Version 1 Settings tab. These options control how the system validates user credentials for the following login categories:

  • Standard Users—Users that are assigned their own user names and passwords for logging onto the network on a regular basis. These users might include employees, students, and administrators.
  • Common Account—Generic account that does not require guests to enter a user name and password, if enabled. Available for Portal Version 1 Only.

    The Common Account option is only available for appliances with firmware images 2.2.0.x through 2.3.2.x.

    The Version 1 Settings tab is only available if the Use Portal Version 1 option is enabled on the General tab of the Portal Configuration window.

Authenticate standard users

Valid users are allowed to access certain network areas on a regular basis. Authentication type is set differently depending on the configuration of your portal pages. Typically, authentication type is set through the Content Editor under Global > Settings > Standard User Authentication Type. If you have enabled the Use Portal Version 1 option on the Portal Page Configuration window, authentication is set on the Version 1 Settings tab of that window.

If you are using the Persistent Agent to scan hosts against security policies, the authentication method selected for the Persistent Agent must match the authentication method selected here. See Credential configuration.

Authentication types include:

  • Local — Validates the user to a database on the local FortiNAC. Use this option if you plan to enter a list of registered users.
  • Local/Device — Validates the user, but registers the host as the device with no owner.
  • LDAP — Validates the user to a directory database. FortiNAC uses the LDAP protocol to communicate to an organization’s directory.
  • LDAP/Device — Validates the user to a directory database, but registers the host as the device with no owner.
  • RADIUS — Validates the user to a RADIUS server. PAP encryption must be set up on the RADIUS server for encryption/decryption of user names and passwords that are sent to and from FortiNAC, such as the user name and password for the Validation Account used for communication between FortiNAC and the RADIUS server.
  • RADIUS/LDAP — Validates the user to a RADIUS server, but registers the user based on data contained in an LDAP server. If the user is successfully authenticated by the RADIUS server but does not exist in the LDAP database, FortiNAC will still create the user record in its own database.
  • RADIUS/Device — Validates the user to a RADIUS server, but registers the host as a device with no owner.
  • HTTP User — Delegates user validation to HTTP Authentication. Registers to, creating if necessary, a user in the local FortiNAC database.
  • HTTP User/LDAP — Delegates the user validation to HTTP Authentication, but registers the user based on data contained in an LDAP server. If the user is successfully authenticated but does not exist in the LDAP database, FortiNAC will still create the user record in its own database.
  • HTTP User/Device — Delegates user validation to HTTP Authentication, but registers the host as a device with no owner.
  • Google — Requires Agent 3.3 and above. Enables the user to log in with a Google account.
  • Google/Device — Requires Agent 3.3 and above. Enables the user to log in with a Google account, but registers the host as a device with no owner.
  • None/Device — Requires Agent 3.3 and above. Allows user to register without a username and password. Registers the host as a device with no owner.

Assign an authentication type

  1. Select System > Portal Configuration.
  2. If Use Portal Version 1 is not enabled, click on the Content Editor tab.
  3. If you have created more than one portal, select the portal to be edited from the drop-down list at the bottom of the view.
  4. Click the Global option in the tree on the left to expand it. Under Global, select Settings. In the pane on the right locate the Standard User Authentication field and select Local, LDAP, RADIUS, RADIUS/LDAP, HTTP User or HTTP User/LDAP from the drop-down menu.
  5. In the tree on the left select Registration > Login Menu. Make sure that Standard User Login is enabled.
  6. Click Apply.