FortiAuthenticator 4.0 Authentication

Custom user fields

Custom fields can be created to be included in the user information of local users. See Local users on page 58 for information about creating and managing local users.

To edit custom fields, go to Authentication > UserAccount Policies > Custom UserFields. A maximum of three custom fields can be added.

User management

FortiAuthenticator’s user database has the benefit of being able to associate extensive information with each user, as you would expect of RADIUS and LDAP servers. This information includes whether the user is an administrator, uses RADIUS authentication, or uses two-factor authentication, and includes personal information such as full name, address, password recovery options, and the groups that the user belongs to.

The RADIUS server on the FortiAuthenticator unit is configured using default settings. For a user to authenticate using RADIUS, the option Allow RADIUS Authentication must be selected for that user’s entry, and the FortiGate unit must be added to the authentication client list. See RADIUS service on page 91.

This section includes the following subsections:

  • Administrators l Local users


  • Remote users l Remote user sync rules l User groups l Organizations l FortiTokens l MAC devices l RADIUS attributes


Administrator accounts on FortiAuthenticator are standard user accounts that are flagged as administrators. Both local users and remote LDAP users can be administrators.

Once flagged as an administrator, a user account’s administrator privileges can be set to either full access or customized to select their administrator rights for different parts of the FortiAuthenticator unit.

The subnets from which administrators are able to log in can be restricted by entering the IP addresses and netmasks of trusted management subnets.

There are log events for administrator configuration activities. Administrators can also be configured to authenticate to the local system using two-factor authentication.

An account marked as an administrator can be used for RADIUS authentication if Allow RADIUS Authentication is selected. See RADIUS service on page 91. These administrator accounts only support Password Authentication Protocol (PAP).

See Configuring a user as an administrator on page 63 for more information.

Local users

Local user accounts can be created, imported, exported, edited, and deleted as needed. Expired local user accounts can be purged manually or automatically (see General on page 54).

To manage local user accounts, go to Authentication > UserManagement > Local Users.

The local user account list shows the following information:

Create New Select to create a new user.
Import Select to import local user accounts from a CSV file or FortiGate configuration file.

If using a CSV file, it must have one record per line, with the following format: user name (30 characters max), first name (30 characters max), last name (30 characters max), email address (75 characters max), mobile number (25 characters max), password (optional, 128 characters max). If the optional password is left out of the import file, the user will be emailed temporary login credentials and requested to configure a new password.

Note: Even if an optional field is empty, it still must be defined with a comma.

Export Users Select to export the user account list to a CSV file.
Disabled Users Purge Disabled: This offers the option to choose which type of disabled users to purge. All users matching the type(s) selection will be deleted.

Re-enable: This allows the administrator to re-enable disabled accounts.

Expired users accounts can only be re-enabled individually.

Edit Select to edit the selected user account.
Delete Select to delete the selected user account or accounts.
Search Enter a search term in the search field, then select Search to search the user account list.
Username The user accounts’ usernames.
First name The user accounts’ first names, if included.
Last name The user accounts’ last names, if included.
Email address The user accounts’ email addresses, if included.
Admin If the user account is set as an administrator, a green circle with a check mark is shown.
Status If the user account is enabled, a green circle with a check mark is shown.
Token The token that is assigned to that user account. Select the token name to edit the FortiToken, see FortiToken device maintenance on page 74.
Groups The group or groups to which the user account belongs.
Authentication Method The authentication method used for the user account.
Expiration The date and time that the user account expires, if an expiration date and time have been set for the account.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos

Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos