FortiAuthenticator 4.0 Authentication
The self-service portal provides options for configuring general self-service portal options, access control settings, self-registration options, replacement messages, and device self-enrollment settings.
To configure general self-service portal settings, go to Authentication > Self-service Portal > General.
The following settings can be adjusted:
|Default portal language||Select a default portal language from the drop-down list.|
|Add a Language
|Select to add a language pack.
Several languages are included by default. A translation pack can be obtained from Fortinet support if you need to translate to your local language.
|Site name||Enter a name that is used when referring to this site. If left blank, the default name will be the site DNS domain name or IP address.|
|E-mail Signature||Add a signature to be appended to the end of outgoing email messages.|
To configure self-service portal access settings, go to Authentication > Self-service Portal > Access Control.
The following settings can be adjusted:
|Username input format||Select the input format for the username, one of: username@realm, realm\username, realm/username. The realm name is optional when authentication against the default realm.|
|Realms||Add realms to which the user will be associated. See Realms on page 94. l Select a realm from the drop-down list in the Realm column.
l Select whether or not to allow local users to override remote users for the selected realm.
l Edit the group filter as needed. That is, filter users based on the groups they are in.
l If necessary, add more realms to the list. l Select the realm that will be the default realm for this client.
When self-registration is enabled, users can request registration through the FortiAuthenticator login page. Selfregistration can be configured so that a user request is emails to the device administrator for approval.
When the account is ready for use, the user receives an email or SMS message with their account information.
To enable self-registration:
- Go to Authentication > Self-service Portal > Self Registration.
- Select Enable to enable self-registration.
- Optionally, configure the following settings:
|Require administrator approval||Select to require that an administrator approves the user.|
|Enable e-mail freeform addresses||to||Select to send self-registration requests to the email addresses entered in the Administratore-mail addresses field.|
|Enable e-mail administrator accounts||to||Select to send self-registration requests to specific administrators. Select the required administrators from the Available administrators box and move them to the Chosen administrators box.|
|Account expires after||Select to specify how long until self-generated accounts will be deleted after they are generated.|
|Use mobile number as username||If enabled, after a successful registration, the user’s password will be sent to them via SMS to confirm their identity.|
|Place registered users into a group||Select a group into which self-registered users will be placed from the dropdown list.|
|Password creation||Select how a password is created, either User-defined or Randomly generated.|
|Send account information via||Choose how to send account information to the user, either SMS, E-mail, or Display on browser page .
The Display on browser page option is only available if administrator approval is not required.
|SMS gateway||Select an SMS gateway from the drop-down list. See SMS gateways on page 48 for more information.|
|Required Field Configuration||Select the fields that the user is required to populate when self-registering. Options include: First name, Last name, E-mail, address, Address, City, State/Province, Country, Phone number, Mobile number, Custom field 1,
Custom field 2 , and Custom field 3 .
For information about custom fields, see Custom user fields on page 57.
- Select OK to apply your changes.
To approve a self-registration request:
- Select the link in the Approval Required for… email message to open the New User Approval page in your web browser.
- Review the information and select either Approve or Deny, as appropriate.
Approval is required only if Require administrator approval is enabled in the self-registration settings.
If the request is approved, the FortiAuthenticator unit sends the user an email or SMS message stating that the account has been activated.
How a user requests registration
A user can request registration, or self-register, from the FortiAuthenticator login screen.
To request registration:
- Browse to the IP address of the FortiAuthenticator unit.
Security policies must be in place on the FortiGate unit to allow these sessions to be established.
- Select Register to open the user registration page.
- Fill in all the required fields and, optionally, fill in the Additional Information fields
- Select OK. to request registration.
If administrator approval is not required and Display on browserpage is enabled, the account details are immediately displayed to the user.
The replacement messages list enables you to view and customize replacement messages, and manage images.
Go to Authentication > Self-service Portal > Replacement Messages to view the replacement message list.
The replacement messages are split into five categories: Account, Authentication, Device Certificate Enrollment, Password Reset, and UserRegistration.
Selecting a specific message will display the text and HTML or plain text of the message in the lower half of the content pane.
Selecting Show Tag List will display a table of the tags used for that message atop the message’s HTML or plain text box.
To edit a replacement message:
- Select a message in the replacement message list.
- Edit the plain text or HTML code in the lower right pane, or select the open in new window icon to edit the message in a new browser window.
- When you are finished editing the message, select Save to save your changes.
- If you have made an error when editing the message, select Restore Default to restore the message to its default value.
Images can be managed by selecting Manage Images in the Replacement Messages window. Images can also be added, deleted, and edited.
To add an image:
- In the manage images screen, select Create New to open the Create New Image
- Enter a name for the image in the Name
- Select .., find the GIF, JPEG, or PNG image file that you are adding, and then select Open.
The maximum image size is 65kB.
- Select OK to add the image.
To delete an image:
- In the manage images screen, select an image, then select Delete.
- Select Yes, I’m sure in the confirmation window to delete the image.
To edit an image:
In the manage images screen, select an image, then select Edit.
- In the Edit Image window, edit the image name and file as required.
- Select OK to apply your changes.
Device certificate self-enrollment is a method for users to obtain certificates for their devices. It can be used to enable EAP-TLS for BYOD configurations, or for VPN authentication. For more information, see Device selfenrollment on page 103.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos
Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos
I am trying to get uses to be able to do a password change when they VPN into the network after their password expire’s.
One issue i am running into is on the Authenticaticator under monitor the status of the Connection only says “Joined AD” and “not connected” do you know why ?
I am experiencing the same problem