FortiAuthenticator 4.0 Authentication

Adding a user

When creating a user account, there are three ways to handle the password:

  • The administrator assigns a password immediately and communicates it to the user.
  • The FortiAuthenticator unit creates a random password and automatically emails it to the new user. l No password is assigned because only token-based authentication will be used.

To add a new user:

  1. In the local users list, select Create New. The Create New User window opens.
  2. Enter the following information:
Username Enter a username for the user.
Password creation Select one of three options from the drop-down list:

Specify a password: Manually enter a password in the Password field, then reenter the password in the Password confirmation field.

Set and e-mail a random password: Enter an email address to which to send the password in the E-mail address field, then reenter the email address in the Confirm e-mail address field. l No password, FortiToken authentication only: After you select

OK, you will need to associate a FortiToken device with this user.

Enable account expiration Select to enable account expiration, either after a specific amount of time has elapsed, or on a specific date.
Expire after Select when the account will expire, one of:

Set length of time: Enter the amount of time in hours, days, months, or years, until the account expires.

Set an expire date: Enter the date on which the account will expire, either by manually typing it in, or by selecting the calendar icon then selecting a date on the pop-up calendar.

  1. Select OK to create the new user.

You will be redirected to the Change user window to continue the user configuration.

If the password creation method was set to No password, FortiToken authentication only you will be required to associate a FortiToken with the user before the user can be enabled. See Configuring token based authentication on page 62.

Editing a user

User accounts can be edited at any time. When creating a new user, you will be immediately redirected to the Change user window to complete the user configuration.

To view the Change user window, go to the user account list, select the user you will be editing, and then select

Edit from the toolbar. Conversely, selecting the username in the user list will also open the Change user window.

The following information can be viewed or configured:

Username The user’s username. This cannot be changed.
Disabled Select to disable the user account.
Password-based authentication Select to enable password based authentication.

Select Change Password to open the Change password window, where you can change the user’s password.

Token-based authentication Select to enable FortiToken based authentication. See Configuring token based authentication on page 62.
Enable account expiration Select to enable account expiration. See Enable account expiration on page 60.
User Role Configure the user’s role.
Role Select Administrator or User.

If setting a user as an administrator, see Configuring a user as an administrator on page 63.

Allow RADIUS authentication Select to allow RADIUS authentication. This applies only to nonadministrator users.
Allow LDAP browsing Select to Allow LDAP browsing. This applies only to non-administrator users.
User Information Enter user information, such as their address and phone number. See Adding user information on page 63.
Alternative e-mail addresses Add alternate email addresses for the user.
Password Recovery Options Configure password recovery options for the user. See Configuring password recovery options on page 64
Groups Assign the user to one or more groups. See User groups on page 69.
E-mail Routing Enter a mail host and routing address into their respective fields to configure email routing for the user.
Radius Attributes Add RADIUS attributes. See RADIUS attributes on page 72.
Certificate Bindings Add, edit, or removed certificate bindings for the user account. See Configuring certificate bindings on page 65.

Select the certificate name to view the certificate, or select the Revoke Certificate button to revoke the certificate.

Select OK when you have finished editing the user’s information and settings.

Configuring token based authentication

Token-based authentication requires one of the following:

l a FortiToken device or mobile device with the FortiToken Mobile app installed, l a device with either email or SMS capability.

If a FortiToken device or FortiToken Mobile app will be used, it must first be registered in Authentication > User Management > FortiToken. See FortiTokens on page 71 for more information.

To configure an account for token-based authentication:

  1. Go to the Change user window for the requisite user account.
  2. Select Token-based authentication to view the token-based authentication options.
  3. Do one of the following: l Select FortiToken, then select the FortiToken device serial number from the FortiToken 200 or FortiToken Mobile drop-down lists, as appropriate.

The device must be known to the FortiAuthenticator unit. See FortiToken devices and mobile apps on page 72.

Optionally, select Configure a temporary e-mail/SMS token to receive a temporary token code via email or SMS.

  • Select Email and enter the user’s email address in the UserInformation
  • Select SMS and enter the user’s mobile number in the UserInformation
  1. Select Test Token to validate the token passcode. The Test Email Token or Test SMS Token window opens (depending on your selection).
    1. For email and SMS tokens, confirm that the contact information is correct, select Next, then enter the token code received via email or SMS.
    2. Select Back to return to edit the contact information, select Verify to verify the token passcode, or select Resend Code if a new code is required.
    3. For FortiToken, enter the token code in the Token code field, then select Verify to verify the token passcode.
  2. Select OK.

By default, token-based authentication must be completed within 60 seconds after the token passcode is sent by email or SMS. To change this timeout, go to Authentication > UserAccount Polices > General and modify the Email/SMS Token Timeout field, see Lockouts on page 55.

Configuring a user as an administrator See Administrators on page 58 for more information.

To set a user as an administrator:

  1. Go to the Change user window for the requisite user account.
  2. In the UserRole section, select Administrator for the Role.
  3. In the Access field, select Full to give the administrator fill administrative privileges, or select Custom to customize the administrator’s permissions.

If Custom is selected, find the permissions that the user will have in the Available userpermissions list, and move them to the Selected userpermissions list.

  1. Optionally, select Web service access to allow the administrator to access the web services via a REST API or FortiAuthenticator Agent for Microsoft Windows.
  2. Select Restrict admin login from trusted management subnets only, then enter the IP addresses and netmasks of trusted management subnets in the table, to restrict the subnets from which an administrator can log in.
  3. Select OK to apply the changes to the user.
Adding user information

User information can be added in the Change user window. Some information can be required depending on how the user is configured. For example, is the user is using token-based authentication by SMS, then a mobile number and SMS gateway must be configured before the user can be enabled.

The following user information can be entered:

First name Last name
Email address Phone number
Mobile number SMS gateway: select from the drop-down list. Select Test SMS to send a test
Street address message.
City State/Province

Country: Select from the drop-down list.

Language: select a specific language from the drop-down list, or use the default language.

Organization: select an organization from the drop-down list. See Organizations on page 70.

Max. devices: Select either Use global configuration, or Specify a custom number.

Userhas: The number of device the user currently has.

Custom user fields: See Custom user fields on page 57 for more information.

Configuring password recovery options

To replace a lost or forgotten password, the FortiAuthenticator unit can send the user a password recovery link by email or in a browser in response to a pre-arranged security question. The user then must set a new password.

To configure password recovery by email:

  1. Go to the Change user window for the requisite user account.
  2. Ensure that the user has an email address entered. See Adding user information on page 63.
  3. In the Password Recovery Options section, Select E-mail recovery.
  4. Optionally, select Alternative e-mail addresses and enter additional email addresses for this user.

In the event of password recovery, an email message will be sent to all configured email addresses — both the user information email address and the alternative email addresses.

  1. Select OK to apply the changes.

To configure password recovery by security question:

  1. Go to the Change user window for the requisite user account.
  2. In the Password Recovery Options section, select Security question, then select Edit. The Setup a Security Question dialog box opens.
  3. Choose one of the questions in the list, or select Write my own question and enter a question in the Custom question
  4. Enter the answer for the question in the Answer
  5. Select OK to create the security question.
  6. Select OK in the Change user window to apply your changes.

How the user can configure password recovery by security question:

  1. Log in to the user account. The View Profile page opens.
  2. Select Edit Profile at the top left of the page.
  3. In the Password Recovery Options section, select Security Question, and select Edit.
  4. Choose one of the questions in the list, or select Write my own question and enter a question in the Custom question
  5. Enter the answer for your question.
  6. Select OK.

How the user can configure password recovery by email:

  1. Log in to the user account. The View Profile page opens.
  2. Select Edit Profile at the top left of the page.
  3. In the Password Recovery Options section, select E-mail recovery.
  4. Optionally, select Alternative e-mail addresses and enter additional email addresses for this user.
  5. Select OK.

How the user recovers from a lost password:

  1. Browse to the IP address of the FortiAuthenticator.

Security policies must be in place on the FortiGate unit to allow these sessions to be established.

  1. At the login screen, select Forgot my password.
  2. Select either Username or Email as your method of recovery.
  3. Enter either your username or email address as selected in the previous step, and then select Next.

This information is used to select the user account. If your information does not match a user account, password recovery cannot be completed.

  1. Do one of the following:
    • If an email address was entered, check your email, open the email and select the password recovery link.
    • If a username was entered, answer the security question and then select Next. The recovery options available depend on the settings in the user account.
  2. On the Reset Password page, enter and confirm a new password and then select Next.

The user can now authenticate using the new password.

2 thoughts on “FortiAuthenticator 4.0 Authentication

  1. dav

    I am trying to get uses to be able to do a password change when they VPN into the network after their password expire’s.
    One issue i am running into is on the Authenticaticator under monitor the status of the Connection only says “Joined AD” and “not connected” do you know why ?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.