Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Configuring FortiAuthenticator

On the FortiAuthenticator, you must create a local user and a RADIUS client.

Before proceeding, ensure you have configured your FortiAuthenticator, created a NAS entry for your FortiAnalyzer, and created or imported FortiTokens.

For more information, see the Two-Factor Authenticator Interoperability Guide and FortiAuthenticator Administration Guide in the Fortinet Document Library.

Create a local user:
  1. Go to Authentication > User Management > Local Users.
  2. Click Create New in the toolbar.
  3. Configure the following settings:

    Username

    Enter a user name for the local user.

    Password creation

    Select Specify a password from the dropdown list.

    Password

    Enter a password. The password must be a minimum of 8 characters.

    Password confirmation

    Re-enter the password. The passwords must match.

    Allow RADIUS authentication

    Enable to allow RADIUS authentication.

    Role

    Select the role for the new user.

    Enable account expiration

    Optionally, select to enable account expiration. For more information see the FortiAuthenticator Administration Guide.

  4. Click OK to continue to the Change local user page.

  5. Configure the following settings, then click OK.

    Disabled

    Select to disable the local user.

    Password-based authentication

    Leave this option selected. Select [Change Password] to change the password for this local user.

    Token-based authentication

    Select to enable token-based authentication.

     

    Deliver token code by

    Select to deliver token by FortiToken, email, or SMS.

    Click Test Token to test the token.

    Allow RADIUS authentication

    Select to allow RADIUS authentication.

    Enable account expiration

    Optionally, select to enable account expiration. For more information see the FortiAuthenticator Administration Guide.

    User Role

    Role

     

    Select either Administrator or User.

     

    Full Permission

    Select to allow Full Permission, otherwise select the admin profiles to apply to the user. This option is only available when Role is Administrator.

     

    Web service

    Select to allow Web service, which allows the administrator to access the web service via a REST API or by using a client application. This option is only available when Role is Administrator.

     

    Restrict admin login from trusted management subnets only

    Select to restrict admin login from trusted management subnets only, then enter the trusted subnets in the table. This option is only available when Role is Administrator.

     

    Allow LDAP Browsing

    Select to allow LDAP browsing. This option is only available when Role is User.

Create a RADIUS client:
  1. Go to Authentication > RADIUS Service > Clients.
  2. Click Create New in the toolbar.
  3. Configure the following settings, then click OK.

    Name

    Enter a name for the RADIUS client entry.

    Client name/IP

    Enter the IP address or Fully Qualified Domain Name (FQDN) of the FortiAnalyzer.

    Secret

    Enter the server secret. This value must match the FortiAnalyzer RADIUS server setting at System Settings > Admin > Remote Authentication Server.

    First profile name

    See the FortiAuthenticator Administration Guide.

    Description

    Enter an optional description for the RADIUS client entry.

    Apply this profile based on RADIUS attributes

    Select to apply the profile based on RADIUS attributes.

    Authentication method

    Select Enforce two-factor authentication from the list of options.

    Username input format

    Select specific user name input formats.

    Realms

    Configure realms.

    Allow MAC-based authentication

    Optional configuration.

    Check machine authentication

    Select to check machine based authentication and apply groups based on the success or failure of the authentication.

    Enable captive portal

    Enable various portals.

    EAP types

    Optional configuration.

For more information, see the FortiAuthenticator Administration Guide, available in the Fortinet Document Library.

Configuring FortiAuthenticator

On the FortiAuthenticator, you must create a local user and a RADIUS client.

Before proceeding, ensure you have configured your FortiAuthenticator, created a NAS entry for your FortiAnalyzer, and created or imported FortiTokens.

For more information, see the Two-Factor Authenticator Interoperability Guide and FortiAuthenticator Administration Guide in the Fortinet Document Library.

Create a local user:
  1. Go to Authentication > User Management > Local Users.
  2. Click Create New in the toolbar.
  3. Configure the following settings:

    Username

    Enter a user name for the local user.

    Password creation

    Select Specify a password from the dropdown list.

    Password

    Enter a password. The password must be a minimum of 8 characters.

    Password confirmation

    Re-enter the password. The passwords must match.

    Allow RADIUS authentication

    Enable to allow RADIUS authentication.

    Role

    Select the role for the new user.

    Enable account expiration

    Optionally, select to enable account expiration. For more information see the FortiAuthenticator Administration Guide.

  4. Click OK to continue to the Change local user page.

  5. Configure the following settings, then click OK.

    Disabled

    Select to disable the local user.

    Password-based authentication

    Leave this option selected. Select [Change Password] to change the password for this local user.

    Token-based authentication

    Select to enable token-based authentication.

     

    Deliver token code by

    Select to deliver token by FortiToken, email, or SMS.

    Click Test Token to test the token.

    Allow RADIUS authentication

    Select to allow RADIUS authentication.

    Enable account expiration

    Optionally, select to enable account expiration. For more information see the FortiAuthenticator Administration Guide.

    User Role

    Role

     

    Select either Administrator or User.

     

    Full Permission

    Select to allow Full Permission, otherwise select the admin profiles to apply to the user. This option is only available when Role is Administrator.

     

    Web service

    Select to allow Web service, which allows the administrator to access the web service via a REST API or by using a client application. This option is only available when Role is Administrator.

     

    Restrict admin login from trusted management subnets only

    Select to restrict admin login from trusted management subnets only, then enter the trusted subnets in the table. This option is only available when Role is Administrator.

     

    Allow LDAP Browsing

    Select to allow LDAP browsing. This option is only available when Role is User.

Create a RADIUS client:
  1. Go to Authentication > RADIUS Service > Clients.
  2. Click Create New in the toolbar.
  3. Configure the following settings, then click OK.

    Name

    Enter a name for the RADIUS client entry.

    Client name/IP

    Enter the IP address or Fully Qualified Domain Name (FQDN) of the FortiAnalyzer.

    Secret

    Enter the server secret. This value must match the FortiAnalyzer RADIUS server setting at System Settings > Admin > Remote Authentication Server.

    First profile name

    See the FortiAuthenticator Administration Guide.

    Description

    Enter an optional description for the RADIUS client entry.

    Apply this profile based on RADIUS attributes

    Select to apply the profile based on RADIUS attributes.

    Authentication method

    Select Enforce two-factor authentication from the list of options.

    Username input format

    Select specific user name input formats.

    Realms

    Configure realms.

    Allow MAC-based authentication

    Optional configuration.

    Check machine authentication

    Select to check machine based authentication and apply groups based on the success or failure of the authentication.

    Enable captive portal

    Enable various portals.

    EAP types

    Optional configuration.

For more information, see the FortiAuthenticator Administration Guide, available in the Fortinet Document Library.