Custom user fields
Custom fields can be created to be included in the user information of local users. See Local users on page 58 for information about creating and managing local users.
To edit custom fields, go to Authentication > UserAccount Policies > Custom UserFields. A maximum of three custom fields can be added.
User management
FortiAuthenticator’s user database has the benefit of being able to associate extensive information with each user, as you would expect of RADIUS and LDAP servers. This information includes whether the user is an administrator, uses RADIUS authentication, or uses two-factor authentication, and includes personal information such as full name, address, password recovery options, and the groups that the user belongs to.
The RADIUS server on the FortiAuthenticator unit is configured using default settings. For a user to authenticate using RADIUS, the option Allow RADIUS Authentication must be selected for that user’s entry, and the FortiGate unit must be added to the authentication client list. See RADIUS service on page 91.
This section includes the following subsections:
- Administrators l Local users
- Remote users l Remote user sync rules l User groups l Organizations l FortiTokens l MAC devices l RADIUS attributes
Administrators
Administrator accounts on FortiAuthenticator are standard user accounts that are flagged as administrators. Both local users and remote LDAP users can be administrators.
Once flagged as an administrator, a user account’s administrator privileges can be set to either full access or customized to select their administrator rights for different parts of the FortiAuthenticator unit.
The subnets from which administrators are able to log in can be restricted by entering the IP addresses and netmasks of trusted management subnets.
There are log events for administrator configuration activities. Administrators can also be configured to authenticate to the local system using two-factor authentication.
An account marked as an administrator can be used for RADIUS authentication if Allow RADIUS Authentication is selected. See RADIUS service on page 91. These administrator accounts only support Password Authentication Protocol (PAP).
See Configuring a user as an administrator on page 63 for more information.
Local users
Local user accounts can be created, imported, exported, edited, and deleted as needed. Expired local user accounts can be purged manually or automatically (see General on page 54).
To manage local user accounts, go to Authentication > UserManagement > Local Users.
The local user account list shows the following information:
| Create New | Select to create a new user. | |
| Import | Select to import local user accounts from a CSV file or FortiGate configuration file.
If using a CSV file, it must have one record per line, with the following format: user name (30 characters max), first name (30 characters max), last name (30 characters max), email address (75 characters max), mobile number (25 characters max), password (optional, 128 characters max). If the optional password is left out of the import file, the user will be emailed temporary login credentials and requested to configure a new password. Note: Even if an optional field is empty, it still must be defined with a comma. |
|
| Export Users | Select to export the user account list to a CSV file. | |
| Disabled Users | Purge Disabled: This offers the option to choose which type of disabled users to purge. All users matching the type(s) selection will be deleted.
Re-enable: This allows the administrator to re-enable disabled accounts. Expired users accounts can only be re-enabled individually. |
|
| Edit | Select to edit the selected user account. | |
| Delete | Select to delete the selected user account or accounts. | |
| Search | Enter a search term in the search field, then select Search to search the user account list. | |
| Username | The user accounts’ usernames. | |
| First name | The user accounts’ first names, if included. | |
| Last name | The user accounts’ last names, if included. | |
| Email address | The user accounts’ email addresses, if included. | |
| Admin | If the user account is set as an administrator, a green circle with a check mark is shown. | |
| Status | If the user account is enabled, a green circle with a check mark is shown. | |
| Token | The token that is assigned to that user account. Select the token name to edit the FortiToken, see FortiToken device maintenance on page 74. | |
| Groups | The group or groups to which the user account belongs. | |
| Authentication Method | The authentication method used for the user account. | |
| Expiration | The date and time that the user account expires, if an expiration date and time have been set for the account. | |
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
I am trying to get uses to be able to do a password change when they VPN into the network after their password expire’s.
One issue i am running into is on the Authenticaticator under monitor the status of the Connection only says “Joined AD” and “not connected” do you know why ?
I am experiencing the same problem