Technical Tip: How to enforce Maximum device per user in FortiAuthenticator

Description

This article describes how to enforce a maximum device per user in FortiAuthenticator.

Scope

FortiGate v6.4+, FortiAuthenticator v6.4+.

Solution

In this example, a Usage Profile is configured on the FortiAuthenticator to enforce a maximum of one device per user. The FortiGate acts as the RADIUS client, while the FortiAuthenticator functions as the RADIUS server. FortiGate triggers a captive portal to authenticate test users.

RADIUS accounting is enabled to allow the FortiAuthenticator to track active authentication sessions for each user, ensuring that the maximum device limit is properly enforced.

1. Configure FortiAuthenticator as a RADIUS server in FortiGate and enable RADIUS accounting.

config user radius
    edit "FAC"
        set server "10.47.4.98"
        set secret ENC I0X0Iva+/Zc4Q7MDFySz/SdpgMoidVQKDJY//azGiN3pd7iDfNGbRPOWOGYIhHXVoVxoo1tkm/hImprAl/tiQeEygW2RmD84VpgfEzTbjpCVz4xAmspYnIE5o4GShuEE9bzTE77uWte17PnIMaNSqW6+Xk6qySzpOZF1e7Auwq9J+K6Qnb9uQqExB5LsCZIDCBfIQFlmMjY3dkVA
        set acct-interim-interval 60
        config accounting-server
            edit 1
                set status enable
                set server "10.47.4.98"
                set secret ENC SaMLe0qNVe/6yqYmLnrGrgYVd/S98lN8H2wId03DlRtV4Dd775wFEeCFF13RK/HCmR5PnuYGY6S4K+EgCQ06uEJupJ+r84VSh2dK58tXxCFbQqIzqyJYCGX7lKPcTL6Du9WC2Tp5s7IoXgjdpKTDTCHew9uHtu9Mlnp8eyKnkFbPgLfQF3AvJgEoengOQEU8/jRlollmMjY3dkVA
                set port 1646
            next
        end
    next
end

2. Create a user group in FortiGate.

config user group
    edit "Grp1"
        set member "FAC"
        config match
            edit 1
                set server-name "FAC"
                set group-name "Grp1"
            next
        end
    next
end

3. Apply the user group in the firewall policy.

config firewall policy
    edit 1
        set name "Test"
        set uuid e851b02e-42e3-51f1-3521-b6777f658a42
        set srcintf "port4"
        set dstintf "virtual-wan-link"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set ssl-ssh-profile "certificate-inspection"
        set logtraffic all
        set nat enable
        set groups "Grp1" <---
    next
end

4. Enable the radius-acct access in the FortiGate interface.

config system interface
    edit "port1"
        set vdom "root"
        set ip 10.47.35.71 255.255.240.0
        set allowaccess ping https ssh http telnet fgfm radius-acct
        set type physical
        set snmp-index 1
    next
end

5. Create a Usage Profile in FortiAuthenticator, then set the Maximum devices per user to 1.

6. Apply the usage profile in the user group.

7. Configure FortiGate as a RADIUS client in FortiAuthenticator.

8. Create a RADIUS policy in FortiAuthenticator.

9. It is possible to view the current radius session in FortiAuthenticator after authenticating the first device with the test user 'user1'.

10. Authenticating the second device of user1 would fail, as it would exceed the maximum number of devices set. It will get an authentication failure log, as shown below, from FortiAuthenticator.