Fortinet black logo

Administration Guide

Remote users

Remote users

Remote LDAP users must be imported into the FortiAuthenticator user database from LDAP servers. For more information, see LDAP.

Note that you will only be able to import a maximum of five remote users if you have an unlicensed version of FortiAuthenticator-VM.

A FortiToken device already allocated to a local account cannot be allocated to an LDAP user as well; it must be a different FortiToken device.

Remote RADIUS users can be created, migrated to LDAP users, edited, and deleted.

LDAP users

To import remote LDAP users:
  1. Go to Authentication > User Management > Remote Users, ensure that LDAP users is selected, and select Import.
  2. Select a server from the Remote LDAP server dropdown menu, then select Import users or Import users by group membership, and select Go.
    An LDAP server must already be configured to select it in the dropdown menu. For information on adding a remote LDAP server, see Remote authentication servers.
  3. The Import Remote LDAP Users or Import Remote LDAP Users by Group Memberships window opens in a new browser window.

  4. Optionally, enter a Filter string to reduce the number of entries returned, and then select Apply, or select Clear to clear the filters.
    note iconPlease note that the Member attribute field is only available if you select to Import users by group membership. Use this field to specify the filter by which users will be shown. In the example, the default attribute (member) will only show users that are members of groups (users must be part of member attribute of the groups).
  5. The default configuration imports the attributes commonly associated with Microsoft Active Directory LDAP implementations. Select Configure user attributes to edit the remote LDAP user mapping attributes.
  6. Selecting the field FirstName, for example, presents a list of detected attributes that can be selected. This list is not exhaustive as additional, non-displayed attributes may be available for import. Consult your LDAP administrator for a full list of available attributes.

  7. Select the entries you want to import.
  8. Optionally, select a logo from the FortiToken Logo dropdown menu to associate the imported users with the specified logo. This logo is displayed beside the one-time password in FortiToken. See FortiTokens for more information.
  9. Select OK.
  10. The amount of time required to import the remote users will vary depending on the number of users to import.

To add two-factor authentication to a remote LDAP user:
  1. Edit the remote user, select One-Time Password (OTP) authentication, and follow the same steps as when editing a local user (Editing a user).
  2. Configure the User Role, User Information, RADIUS Attributes, and Certificate Bindings for the user as needed.
  3. Select OK to apply the changes.

RADIUS users

To view remote RADIUS users, go to Authentication > User Management > Remote Users and select RADIUS users in the toolbar. See RADIUS for more information about remote RADIUS servers.

The following options are available (when remote RADIUS users are available to edit):

Create New Select to create a new remote RADIUS user.
Delete Select to delete the selected user or users.
Edit Select to edit the selected user.
Re-enable Select to re-enable the status of a user that has been disabled.
Migrate Select to migrate the selected user or users. See To migrate RADIUS users to LDAP users:.
Token Select to either Enforce or Bypass One-Time Password (OTP) authentication for the selected user(s).
Search Search the remote RADIUS user list.
Username The remote user’s name.
Remote RADIUS server The remote RADIUS server or which the user resides.
Admin Displays whether or not the user is configured as an administrator.
Status Displays whether or not the user is enabled or disabled.
Token The FortiToken used by the user, if applicable.
Token Requested Displays whether or not a FortiToken has been requested for the user.
Enforce token-based authentication Displays whether or not token-based authentication is enforced.
To create a new remote RADIUS user:
  1. From the remote user list, select RADIUS users and select Create New.
  2. Enter the following information:
    Remote RADIUSSelect the remote RADIUS server on which the user will be created from. For more information on remote RADIUS servers, see RADIUS.
    UsernameEnter a username.

    Disabled

    Select to disable the user account.

    Enforce token-based authentication if configured belowSelect to enforce token-based authentication, if you are configuring token-based authentication.
    One-Time Password (OTP) authentication

    Select to configure One-Time Password (OTP) authentication.

    See Configuring One-Time Password (OTP) authentication.

    FIDO authentication

    Select to enable FIDO authentication. This is disabled by default for new user accounts.

    Register FIDO key

    Select to open the Add new Fido Key dialog, enter the FIDO key name, and click OK to register a FIDO key for the user.

    Note: Use the Delete all FIDO keys button to delete all the registered FIDO keys.

    Allow RADIUS authentication

    Enable or disable RADIUS authentication.

    Sync in HA Load Balancing mode

    Select to sync the administrator across load-balanced FortiAuthenticator devices from the primary standalone device to load-balancers.

    User Role

    Configure a remote user's role.

    Select whether the remote user is either an Administrator (along with related permissions), Sponsor, or a regular User.

    Role

    Select Administrator, Sponsor, or User.

    Full Permission

    Enable to grant this administrator full permission, or enter an Admin profile in the field provided. This applies only to administrators.

    Use backup password

    Enable to set up a backup password to be used when the remote server is unreachable. This applies to administrator and sponsors only.

    Restrict admin login from trusted management subnets only

    Enable and enter trusted IP addresses and netmasks for restricted administrator login access. This applies to administrator and sponsors only.

    User Information

    Enter user information as needed. The following options are available:

    • Display name
    • Email address
    • Company
    • Department
    • Title
    • Birthdate
    • Mobile number and SMS gateway
    • Language
    • FortiToken Logo - see FortiTokens.

    TACACS+ Authorization

    Add a TACACS+ authorization rule. See Assigning authorization rules.

    Usage Information

    View the user's usage information, including bytes in/out, time used, and the option to reset the usage statistics.

    When allocated usage is reached, the user account is locked and needs to be unlocked manually by an admin or via API. Upon unlock, usage data is reset.

    Certificate Bindings

    Add, edit, or removed certificate bindings for the user account. See Configuring certificate bindings.
    Select the certificate name to view the certificate, or select the Revoke Certificate button to revoke the certificate.

    For administrator and sponsor user roles, this field is available only when Sync in HA Load Balancing mode is enabled.

    Devices

    Add devices, based on MAC address, for the user account.

  3. Select OK to create the new remote RADIUS user.
To migrate RADIUS users to LDAP users:
  1. From the remote RADIUS users list (see Learned RADIUS users), select the user or users you need to migrate, then select Migrate from the toolbar.
  2. Select an LDAP server from the dropdown menu and select Next.
  3. Enter the distinguished names for the users to migrate, or browse the LDAP tree (see Directory tree overview) to find the users.
  4. Select Migrate to migrate the user or users.

SAML users

To view remote SAML users, go to Authentication > User Management > Remote Users and select SAML users.

To create a new remote SAML user:
  1. From the remote user list, select SAML users and select Create New.
  2. The Create New Remote SAML User window appears.

  3. Enter the following information:
    Remote SAMLSelect the remote SAML server on which the user will be created from. For more information on remote SAML servers, see SAML.
    UsernameEnter a username.
    DisabledSelect to disable the user account.
    One-Time Password (OTP) authentication

    Select to configure One-Time Password (OTP) authentication.

    See Configuring One-Time Password (OTP) authentication.

    User Information

    Enter user information as needed. The following options are available:

    • Display name
    • First name
    • Last name
    • Email address
    • Mobile number and SMS gateway
    • Company
    • Department
    • Title
    • Birthdate
    • Language
    • FortiToken Logo - see FortiTokens.
  4. Select OK to create the new remote SAML user.
To import remote SAML users:
  1. From the remote user list, select SAML users, and select Import.
  2. The Import remote SAML Users window opens.

  3. Select the following:
    Remote SAML serverSelect the remote SAML server on which the users will be imported from. For more information on remote SAML servers, see SAML.
    GroupSelect the SAML server group to import users from.
  4. Select OK to import the remote SAML users.

Remote users

Remote LDAP users must be imported into the FortiAuthenticator user database from LDAP servers. For more information, see LDAP.

Note that you will only be able to import a maximum of five remote users if you have an unlicensed version of FortiAuthenticator-VM.

A FortiToken device already allocated to a local account cannot be allocated to an LDAP user as well; it must be a different FortiToken device.

Remote RADIUS users can be created, migrated to LDAP users, edited, and deleted.

LDAP users

To import remote LDAP users:
  1. Go to Authentication > User Management > Remote Users, ensure that LDAP users is selected, and select Import.
  2. Select a server from the Remote LDAP server dropdown menu, then select Import users or Import users by group membership, and select Go.
    An LDAP server must already be configured to select it in the dropdown menu. For information on adding a remote LDAP server, see Remote authentication servers.
  3. The Import Remote LDAP Users or Import Remote LDAP Users by Group Memberships window opens in a new browser window.

  4. Optionally, enter a Filter string to reduce the number of entries returned, and then select Apply, or select Clear to clear the filters.
    note iconPlease note that the Member attribute field is only available if you select to Import users by group membership. Use this field to specify the filter by which users will be shown. In the example, the default attribute (member) will only show users that are members of groups (users must be part of member attribute of the groups).
  5. The default configuration imports the attributes commonly associated with Microsoft Active Directory LDAP implementations. Select Configure user attributes to edit the remote LDAP user mapping attributes.
  6. Selecting the field FirstName, for example, presents a list of detected attributes that can be selected. This list is not exhaustive as additional, non-displayed attributes may be available for import. Consult your LDAP administrator for a full list of available attributes.

  7. Select the entries you want to import.
  8. Optionally, select a logo from the FortiToken Logo dropdown menu to associate the imported users with the specified logo. This logo is displayed beside the one-time password in FortiToken. See FortiTokens for more information.
  9. Select OK.
  10. The amount of time required to import the remote users will vary depending on the number of users to import.

To add two-factor authentication to a remote LDAP user:
  1. Edit the remote user, select One-Time Password (OTP) authentication, and follow the same steps as when editing a local user (Editing a user).
  2. Configure the User Role, User Information, RADIUS Attributes, and Certificate Bindings for the user as needed.
  3. Select OK to apply the changes.

RADIUS users

To view remote RADIUS users, go to Authentication > User Management > Remote Users and select RADIUS users in the toolbar. See RADIUS for more information about remote RADIUS servers.

The following options are available (when remote RADIUS users are available to edit):

Create New Select to create a new remote RADIUS user.
Delete Select to delete the selected user or users.
Edit Select to edit the selected user.
Re-enable Select to re-enable the status of a user that has been disabled.
Migrate Select to migrate the selected user or users. See To migrate RADIUS users to LDAP users:.
Token Select to either Enforce or Bypass One-Time Password (OTP) authentication for the selected user(s).
Search Search the remote RADIUS user list.
Username The remote user’s name.
Remote RADIUS server The remote RADIUS server or which the user resides.
Admin Displays whether or not the user is configured as an administrator.
Status Displays whether or not the user is enabled or disabled.
Token The FortiToken used by the user, if applicable.
Token Requested Displays whether or not a FortiToken has been requested for the user.
Enforce token-based authentication Displays whether or not token-based authentication is enforced.
To create a new remote RADIUS user:
  1. From the remote user list, select RADIUS users and select Create New.
  2. Enter the following information:
    Remote RADIUSSelect the remote RADIUS server on which the user will be created from. For more information on remote RADIUS servers, see RADIUS.
    UsernameEnter a username.

    Disabled

    Select to disable the user account.

    Enforce token-based authentication if configured belowSelect to enforce token-based authentication, if you are configuring token-based authentication.
    One-Time Password (OTP) authentication

    Select to configure One-Time Password (OTP) authentication.

    See Configuring One-Time Password (OTP) authentication.

    FIDO authentication

    Select to enable FIDO authentication. This is disabled by default for new user accounts.

    Register FIDO key

    Select to open the Add new Fido Key dialog, enter the FIDO key name, and click OK to register a FIDO key for the user.

    Note: Use the Delete all FIDO keys button to delete all the registered FIDO keys.

    Allow RADIUS authentication

    Enable or disable RADIUS authentication.

    Sync in HA Load Balancing mode

    Select to sync the administrator across load-balanced FortiAuthenticator devices from the primary standalone device to load-balancers.

    User Role

    Configure a remote user's role.

    Select whether the remote user is either an Administrator (along with related permissions), Sponsor, or a regular User.

    Role

    Select Administrator, Sponsor, or User.

    Full Permission

    Enable to grant this administrator full permission, or enter an Admin profile in the field provided. This applies only to administrators.

    Use backup password

    Enable to set up a backup password to be used when the remote server is unreachable. This applies to administrator and sponsors only.

    Restrict admin login from trusted management subnets only

    Enable and enter trusted IP addresses and netmasks for restricted administrator login access. This applies to administrator and sponsors only.

    User Information

    Enter user information as needed. The following options are available:

    • Display name
    • Email address
    • Company
    • Department
    • Title
    • Birthdate
    • Mobile number and SMS gateway
    • Language
    • FortiToken Logo - see FortiTokens.

    TACACS+ Authorization

    Add a TACACS+ authorization rule. See Assigning authorization rules.

    Usage Information

    View the user's usage information, including bytes in/out, time used, and the option to reset the usage statistics.

    When allocated usage is reached, the user account is locked and needs to be unlocked manually by an admin or via API. Upon unlock, usage data is reset.

    Certificate Bindings

    Add, edit, or removed certificate bindings for the user account. See Configuring certificate bindings.
    Select the certificate name to view the certificate, or select the Revoke Certificate button to revoke the certificate.

    For administrator and sponsor user roles, this field is available only when Sync in HA Load Balancing mode is enabled.

    Devices

    Add devices, based on MAC address, for the user account.

  3. Select OK to create the new remote RADIUS user.
To migrate RADIUS users to LDAP users:
  1. From the remote RADIUS users list (see Learned RADIUS users), select the user or users you need to migrate, then select Migrate from the toolbar.
  2. Select an LDAP server from the dropdown menu and select Next.
  3. Enter the distinguished names for the users to migrate, or browse the LDAP tree (see Directory tree overview) to find the users.
  4. Select Migrate to migrate the user or users.

SAML users

To view remote SAML users, go to Authentication > User Management > Remote Users and select SAML users.

To create a new remote SAML user:
  1. From the remote user list, select SAML users and select Create New.
  2. The Create New Remote SAML User window appears.

  3. Enter the following information:
    Remote SAMLSelect the remote SAML server on which the user will be created from. For more information on remote SAML servers, see SAML.
    UsernameEnter a username.
    DisabledSelect to disable the user account.
    One-Time Password (OTP) authentication

    Select to configure One-Time Password (OTP) authentication.

    See Configuring One-Time Password (OTP) authentication.

    User Information

    Enter user information as needed. The following options are available:

    • Display name
    • First name
    • Last name
    • Email address
    • Mobile number and SMS gateway
    • Company
    • Department
    • Title
    • Birthdate
    • Language
    • FortiToken Logo - see FortiTokens.
  4. Select OK to create the new remote SAML user.
To import remote SAML users:
  1. From the remote user list, select SAML users, and select Import.
  2. The Import remote SAML Users window opens.

  3. Select the following:
    Remote SAML serverSelect the remote SAML server on which the users will be imported from. For more information on remote SAML servers, see SAML.
    GroupSelect the SAML server group to import users from.
  4. Select OK to import the remote SAML users.