Configuring FortiAuthenticator
On the FortiAuthenticator, you must create a local user and a RADIUS client.
Before proceeding, ensure you have configured your FortiAuthenticator, created a NAS entry for your FortiAnalyzer, and created or imported FortiTokens. For more information, see the RADIUS Interoperability Guide and FortiAuthenticator Administration Guide in the Fortinet Document Library. |
To create a local user:
- Go to Authentication > User Management > Local Users.
- Click Create New in the toolbar.
- Configure the following settings:
Username
Enter a user name for the local user.
Password creation
Select Specify a password from the dropdown list.
Password
Enter a password. The password must be a minimum of 8 characters.
Password confirmation
Re-enter the password. The passwords must match.
Allow RADIUS authentication
Enable to allow RADIUS authentication.
Role
Select the role for the new user.
Enable account expiration
Optionally, select to enable account expiration. For more information see the FortiAuthenticator Administration Guide.
- Click OK to continue to the Change local user page.
- Configure the following settings, then click OK.
Disabled
Select to disable the local user.
Password-based authentication
Leave this option selected. Select [Change Password] to change the password for this local user.
Token-based authentication
Select to enable token-based authentication.
Deliver token code by
Select to deliver token by FortiToken, email, or SMS.
Click Test Token to test the token.
Allow RADIUS authentication
Select to allow RADIUS authentication.
Enable account expiration
Optionally, select to enable account expiration. For more information see the FortiAuthenticator Administration Guide.
User Role
Role
Select either Administrator or User.
Full Permission
Select to allow Full Permission, otherwise select the admin profiles to apply to the user. This option is only available when Role is Administrator.
Web service
Select to allow Web service, which allows the administrator to access the web service via a REST API or by using a client application. This option is only available when Role is Administrator.
Restrict admin login from trusted management subnets only
Select to restrict admin login from trusted management subnets only, then enter the trusted subnets in the table. This option is only available when Role is Administrator.
Allow LDAP Browsing
Select to allow LDAP browsing. This option is only available when Role is User.
Create a RADIUS client:
- Go to Authentication > RADIUS Service > Clients.
- Click Create New in the toolbar.
- Configure the following settings, then click OK.
Name
Enter a name for the RADIUS client entry.
Client name/IP
Enter the IP address or Fully Qualified Domain Name (FQDN) of the FortiAnalyzer.
Secret
Enter the server secret. This value must match the FortiAnalyzer RADIUS server setting at System Settings > Admin > Remote Authentication Server.
First profile name
See the FortiAuthenticator Administration Guide.
Description
Enter an optional description for the RADIUS client entry.
Apply this profile based on RADIUS attributes
Select to apply the profile based on RADIUS attributes.
Authentication method
Select Enforce two-factor authentication from the list of options.
Username input format
Select specific user name input formats.
Realms
Configure realms.
Allow MAC-based authentication
Optional configuration.
Check machine authentication
Select to check machine based authentication and apply groups based on the success or failure of the authentication.
Enable captive portal
Enable various portals.
EAP types
Optional configuration.
For more information, see the FortiAuthenticator Administration Guide, available in the Fortinet Document Library. |