Skip to main content
vrajendran
Staff
vrajendran
Staff
July 17, 2012

Technical Tip: 'policy-auth-concurrent' system global command clarified

  • July 17, 2012
  • 0 replies
  • 27327 views

Description

 

This article explains the 'policy-auth-concurrent' configuration parameter and clarifies its default value.

 

Scope

 

FortiGate.

Solution


The option 'policy-auth-concurrent' under the system global profile is used to control if the same user can be authenticated for multiple sources at the same time.

 

config system global
    set policy-auth-concurrent (0-100)
end

 

The default value for this setting is '0', meaning there is no limit to the number of source IP addresses that can be associated with a single user.

 

If this value is modified, captive portal and firewall policy authentication prevent a user from authenticating from additional IP addresses once the limit is reached, and display a browser warning.

 

199277 Mohammed_Feroz_0-1660138485283.png

 

For example, if policy-auth-concurrent is set to '1', each user can only be associated with one source IP address at a time. If a user has already been authenticated, future authentication requests for the same user from other source IP addresses will be denied.

 

config system global
    set policy-auth-concurrent 1
end

 

The 'policy-auth-concurrent' setting can be overridden at the user group or user level. When configured at the user or group level, 'auth-concurrent-value' will have precedence over the global 'policy-auth-concurrent' setting.

 

config user local
    edit <name>
        set auth-concurrent-override enable
        set auth-concurrent-value (1-100)
end

config user group
    edit "fortilab_exchange"
        set auth-concurrent-override enable
        set auth-concurrent-value (1-100)

end

 

Notes:

Terms & ConditionsAccessibility statement