Home

Video

FortiGuard

Fuse

KB

Support

  • All Files

User Account Policies

General policies for user accounts include lockout settings, password policies, and custom user fields.

General

To configure general account policy settings, go to Authentication > User Account Policies > General.

Configure the following settings:

Valid window Time-based: Configure the length of time, plus or minus the current time, that a FortiToken code is deemed valid, from 1 to 60 minutes (default = 1 minute).

Event-based: Configure the count, or number of times, that the FortiToken passcode is deemed valid, from 3 to 100 counts (default = 3 counts).
Sync window Time-based: Configure the period of time in which the entry of an invalid token can trigger a synchronization, from 5 to 480 minutes (default = 60 minutes).

Event-based: Configure the count, or number of times, that the entry of an invalid token can trigger a synchronization, from 5 to 100 counts (default = 100 counts).

If the token is incorrect according to the FortiToken valid window, but exists in the sync window, synchronization will be initiated.
E-mail/SMS token timeout Set a time after which a token code sent via email or SMS will be marked as expired, from 10 to 3600 seconds.
Expire device login after Set a time after which a machine authenticated device will be automatically expired, from 5 to 1440 minutes (default = 480 minutes).
Automatically purge expired user accounts Select to automatically purge expired user accounts. Select the frequency of the purge in the Frequency field: Daily, Weekly, or Monthly. Enter the time of the purge in the Time field, select Now to set the time to the current time, or select the clock icon to choose a time: Now, Midnight, 6 a.m., or Noon.

Set the reason for purging disabled users: Manually disabled, Login inactivity, or Account expired.
Restrict web service access to a specific interface Select to restrict web service access to a specific port, then select the port from the Web service interface drop-down list.
Discard stale RADIUS authentication requests Select to set a time after which RADIUS authentication requests are discarded, from 3 to 360 seconds. The default is set to 5 seconds.
Expire inactive RADIUS accounting session after Enter a time after which RADIUS accounting sessions timeout, from 5 to 1440 minutes (or five minutes to one day). The default is set to 60 minutes.

Lockouts

For various security reasons, you may want to lock a user’s account. For example, repeated unsuccessful attempts to log in might indicate an attempt at unauthorized access.

Information on locked out users can be viewed in the Top User Lockouts widget, see Top User Lockouts widget.

Currently locked out users can be viewed in Monitor > Authentication > Inactive Users, see Authentication.

To configure the user lockout policy:
  1. Go to Authentication > User Account Policies > Lockouts.
  2. Configure the following settings, then select OK to apply any changes:
    3. Enable user account lockout policy Enable user account lockout for failed login attempts and enter the maximum number of allowed failed attempts in the Max. failed login attempts field.
      Specify lockout period Select to specify the length of the lockout period, from 60 to 86400 seconds. After the lockout period expires, the Max. failed login attempts number applies again.
    When disabled, locked out users will be permanently disabled until an administrator manually re-enables them.
    Enable inactive user lockout Select to enable disabling a user account if there is no login activity for a given number of days. In the Lock out inactive users after field, enter the number of days, from 1 to 1825, after which a user is locked out.

Passwords

You can enforce a minimum length and complexity for user passwords, and can force users to change their passwords periodically.

For information on setting a user’s password, and password recovery options, see Editing a user.

Go to Authentication > User Account Policies > Passwords to configure password policy settings.

To set password complexity requirements:
  1. In User Password Complexity, enter the minimum password length in the Minimum length field.
note icon The default minimum length is 0, which means that there is no minimum length but the password cannot be empty.
  1. Optionally, select Check for password complexity and then configure the following password requirements as needed:
    • Minimum upper-case letters
    • Minimum lower-case letters
    • Minimum numeric characters
    • Minimum non-alphanumeric characters
      You can configure which non-alphanumerical characters may be used in random password generation by entering them in the Characters used in random passwords field.
  2. Select OK to apply the password length and complexity settings.
To set a password change policy:
  1. In User Password Change Policy, optionally select Enable password expiry, then set the maximum allowed password age in the Maximum password age field.

    2. The default maximum password age is 90 days. The minimum value allowed is 14 days.

  2. Optionally, select Enforce password history to prevent users from creating a new password that is the same as their current password or recently used passwords.

    3. Then, enter the number of password to remember in the Number of passwords to remember field. New passwords must not match any of the remembered passwords. For example, if three passwords are remembered, users cannot reuse any of their three previous passwords.

  3. Optionally, select Enable random password expiry to force randomly generated passwords to expire. Then, enter the length of time after which a randomly generated password will expire in the Random passwords expire after field.

    4. The default randomly generated password expiry age is 72 hours. The value can be set from 1 to 168 hours.

  4. Select OK to apply the password change policy settings.
To set a password renewal policy:
  1. In User Password Change Policy, enter the password renewal intervals in the field available, separating each entry by a comma.

    2. The default is every 14, 7, 3, and 1 days.

  2. Select OK to apply the password renewal policy setting.

Custom User Fields

Custom fields can be created to be included in the user information of local users. See Local Users for information about creating and managing local users.

To edit custom fields, go to Authentication > User Account Policies > Custom User Fields. A maximum of three custom fields can be added.

Tokens

As of FortiAuthenticator 4.2, all FortiToken settings have been moved here to be configured and controlled separately from the general user account policy settings. Additionally, now you can configure the FortiAuthenticator to allow the Windows Agent to cache future tokens for users when they're offline by using the Enable offline support setting.

To configure token policy settings, go to Authentication > User Account Policies > Tokens.

note icon Note that, as of FortiAuthenticator 4.3, the offline HOTP cache size limit has been increased from 100 to 1000.

Configure the following settings:

 FortiTokens
  TOTP authentication window size Configure the length of time, plus or minus the current time, that a FortiToken code is deemed valid, from 1 - 60 minutes (default is 1 minute).
  HOTP authentication window size Configure the count, or number of times, that the FortiToken passcode is deemed valid, from 1 - 100 counts (default is 3 counts).
  TOTP sync window size

Configure the period of time in which the entry of an invalid token can trigger a synchronization, from 5 - 480 minutes (default is 60 minutes).

If the token is incorrect according to the FortiToken valid window, but exists in the sync window, synchronization will be initiated.
  HOTP sync window size Configure the count, or number of times, that the entry of an invalid token can trigger a synchronization, from 5 - 500 counts (default is 100 counts).

If the token is incorrect according to the FortiToken valid window, but exists in the sync window, synchronization will be initiated.
  Seed encryption passphrase Passphrase to derive a seed encryption key from, for seed returned when provisioning a FortiToken Mobile via web service (REST API).
FAC Agent Offline FortiToken Support
  Enable offline support

Enable this option to set the following:

Shared secret: Set the shared secret used in offline support.

TOTP cache size: Period of time after last login to pre-cache offline TOTP tokens, from 1 - 14 days (default is 7 days).

HOTP cache size: Period of time after last login to pre-cache offline HOTP tokens, from 1 - 1000 counts (default is 10 counts).
Email/SMS
  Token timeout Set a time after which a token code sent via email or SMS will be marked as expired, from 10 - 3600 seconds (default is 60 seconds).

 

 

Copyright © 2018 Fortinet, Inc. All Rights Reserved. | Terms of Service | Privacy Policy