FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 1 - What's New for FortiOS 5.2 > Authentication


New authentication features include:

Captive Portal

There have been several changes made to authentication using a captive portal. Additional captive portal options have also been added for wireless networks. For more information, see Captive Portal for WiFi.

External Captive Portals

An external captive portal can be used to configure each FortiGate interface as an independent, external web URL. To configure an interface, go to System > Network > Interfaces and edit the desired interface. Select Captive Portal as the Security Mode, then set Authentication Portal to External and configure the other settings as required.

Once a client has been authenticated by the portal, by default they will be sent to original URL that was requested. The portal can also be configured to send the client to a hard coded URL that contains a replacement message.


In the following example, the LAN interface is configured with external captive portal that has a specified URL ( to redirect clients to after successful authentication.

config system interface

edit "lan"

set security-mode captive-portal

set security-external-web ""

set security-redirect-url ""

set security-groups "rug1"


Using Groups from the Security Policy

Portal interfaces can now be configured to use the user groups set in the security policies. This will happen by default if no user group is configured on the interface.

Exempting a Policy

Security policies can now be exempt from captive portals, using the command captive-portal-exempt enable.

Replacement Messages

The captive portal-specific replacement messages have been removed. Authentication replacement messages will be used for portals.

User Authentication via a POP3 Server

A POP3 server can now be used to verify user credentials when they authenticate through a web portal or any supported authentication method.

The following maximum values are associated with POP3 authentication:

  • A maximum of 10 pop3/pop3s servers can be defined per box
  • A single user group can have up to a pool of 6 POP3 servers assigned

POP3 authentication can be configured using the CLI:

Configuring a POP3 user

config user pop3

edit name

set server ""

set secure {starttls | pop3s | none}

set port 110


Configuring a POP3 user group

config user group

edit pop3_grp1

set member "pop3_server1" "pop3_server2"


Limiting Guest User Accounts

A new option to has been added to the guest user group where the administrator can restrict the maximum number of guest accounts that can be created. After the limit is reached, the portal administrator will need to remove some expired accounts. The number of accounts can be set from 1-1024 or left as unlimited (0 in the CLI), which is the default setting.

In the web-based manager, the lower limit is restricted if there are existing group members. In order to set a lower number, guest accounts must be removed prior to the limit being set.

config user group

edit guest-group

set group-type guest

set max-accounts [0-1024]


Nested Group Search in LDAP Authentication

Nested group search is a new feature added to Windows AD server when the LDAP server’s settings have group-member-check set to user-attr. After authentication succeeds, fnbamd gets groups from user attributes and repeats LDAP queries on the groups until reaches the top layer.


config user ldap

edit <ldap-server-name>

set search-type nested


Password Length for User Authentication

In FortiOS 5.2, the length for all passwords connected to user authentication features has been changed to support a maximum of 128 characters.

Certificates for Policy Authentication

The CA certificate used for policy authentication can now be configured, instead of being restricted to the built-in Fortinet certificate. By doing this, the authenticated user can be presented with a certificate that is already trusted by their browser and certificate errors can be avoided.


config user setting

set auth-ca-cert <name>


Authentication Blackouts

If five failed logins are made from an IP within one minute, the IP is put on a blackout list. Future logins from this IP are rejected as long as the IP is on this list. The IP remains on the blackout list for auth-blackout-time seconds. The amount of time an IP is blacklisted can be configured through the CLI:


config user setting

set auth-blackout-time 300


This feature only applies to IP-based authentication schemes.

Single Sign-On for Guest Accounts

The default FSSO_Guest_Users group has changed to SSO_Guest_Users. This group supports guests using both Fortinet Single Sign-On (FSSO) and RADIUS Single Sign-On (RSSO). Users can also now be added to this group SSO_Guest_group using the CLI.


config user group

edit SSO_Guest_group

set member <names>