FortiAuthenticator 4.0 Authentication

User account policies

General policies for user accounts include lockout settings, password policies, and custom user fields.


To configure general account policy settings, go to Authentication > UserAccount Policies > General.

Configure the following settings:


account policies

Valid window Time-based: Configure the length of time, plus or minus the current time, that a FortiToken code is deemed valid, from 1 to 60 minutes (default = 1 minute).

Event-based: Configure the count, or number of times, that the FortiToken passcode is deemed valid, from 3 to 100 counts (default = 3 counts).

Sync window Time-based: Configure the period of time in which the entry of an invalid token can trigger a synchronization, from 5 to 480 minutes (default = 60 minutes).

Event-based: Configure the count, or number of times, that the entry of an invalid token can trigger a synchronization, from 5 to 100 counts (default = 100 counts).

If the token is incorrect according to the FortiToken valid window, but exists in the sync window, synchronization will be initiated.

E-mail/SMS token timeout Set a time after which a token code sent via email or SMS will be marked as expired, from 10 to 3600 seconds.
Expire device login after Set a time after which a machine authenticated device will be automatically expired, from 5 to 1440 minutes (default = 480 minutes).
Automatically purge expired user accounts Select to automatically purge expired user accounts. Select the frequency of the purge in the Frequency field: Daily, Weekly, or Monthly. Enter the time of the purge in the Time field, select Now to set the time to the current time, or select the clock icon to choose a time: Now, Midnight, 6 a.m., or Noon.

Set the reason for purging disabled users: Manually disabled, Login inactivity, or Account expired.

Restrict web service access to a specific interface Select to restrict web service access to a specific port, then select the port from the Web service interface drop-down list.
Discard stale RADIUS authentication requests Select to set a time after which RADIUS authentication requests are discarded (default = 5 seconds).


For various security reasons, you may want to lock a user’s account. For example, repeated unsuccessful attempts to log in might indicate an attempt at unauthorized access.

Information on locked out users can be viewed in the Top UserLockouts widget, see Top User Lockouts widget on page 30.

Currently locked out users can be viewed in Monitor> Authentication > Inactive Users, see Inactive users on page 131.

User account policies

To configure the user lockout policy:

  1. Go to Authentication > UserAccount Policies > Lockouts.
  2. Configure the following settings, then select OK to apply any changes:
Enable         user       account

lockout policy

Enable user account lockout for failed login attempts and enter the maximum number of allowed failed attempts in the Max. failed login attempts field.
Specify lockout period Select to specify the length of the lockout period, from 60 to 86400

seconds. After the lockout period expires, the Max. failed login attempts number applies again.

When disabled, locked out users will be permanently disabled until an administrator manually re-enables them.

Enable          inactive       user


Select to enable disabling a user account if there is no login activity for a given number of days. In the Lock out inactive users after field, enter the number of days, from 1 to 1825, after which a user is locked out.


You can enforce a minimum length and complexity for user passwords, and can force users to change their passwords periodically.

For information on setting a user’s password, and password recovery options, see Editing a user on page 60.

Go to Authentication > UserAccount Policies > Passwords to configure password policy settings.

To set password complexity requirements:

  1. In UserPassword Complexity, enter the minimum password length in the Minimum length

The default minimum length is 0, which means that there is no minimum length but the password cannot be empty.

  1. Optionally, select Check forpassword complexity. and then configure the following password requirements as needed:

l Minimum upper-case letters l Minimum lower-case letters l Minimum numeric characters l Minimum non-alphanumeric characters

  1. Select OK to apply the password length and complexity settings.

To set a password change policy:

  1. In UserPassword Change Policy, optionally select Enable password expiry, then set the maximum allowed password age in the Maximum password age

The default maximum password age is 90 days. The minimum value allowed is 14 days.

  1. Optionally, select Enforce password history to prevent users from creating a new password that is the same as their current password or recently used passwords.

Then, enter the number of password to remember in the Numberof passwords to remember field. New passwords must not match any of the remembered passwords. For example, if three passwords are remembered, users cannot reuse any of their three previous passwords.

  1. Optionally, select Enable random password expiry to force randomly generated passwords to expire. Then, enter the length of time after which a randomly generated password will expire in the Random passwords expire after

The default randomly generated password expiry age is 72 hours. The value can be set from 1 to 168 hours.

  1. Select OK to apply the password change policy settings.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos

Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos