FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
acardona
Staff
Staff
Article Id 332115
Description This article describes how to limit a wireless user to be authenticated from simultaneous devices using LDAP Authentication and FortiAP.
Scope FortiGate, FortiAP.
During this example, FortiOS 7.4.3 and FortiAP 7.4.3 were used.
Solution

In this Article, the authentication is performed by LDAP:

How to configure FortiGate to use an LDAP server 

 

Create a User Group and enable the auth-concurrent-override to control the number of user accounts authenticate at the same time.

 

config user group

edit "LDAP-group"

set group-type firewall

set authtimeout 0

set auth-concurrent-override enable

set auth-concurrent-value 2 <- The same user can be authenticated for 2 sources at the same time. The third device should fail the authentication.

set http-digest-realm ''

set member "ldap"

next

end

 

Reference the User Group in the SSID profile.

 

Picture1.png

 

Then try to Authenticate with multiple devices using the same account. These simultaneous users can be seen in firewall users.

 

image (33).png

 

Using the following command will display the users in CLI:

 

diagnose firewall auth list
192.168.8.3, alejandro cardona
        src_mac: aa:bb:cc:26:60:32
        type: fw, id: 0, duration: 415, idled: 11
        expire: 126, allow-idle: 300
        flag(100): wsso
        server: ldap
        packets: in 349 out 281, bytes: in 212003 out 39161
        group_id: 2
        group_name: LDAP-group
192.168.8.4, alejandro cardona
        src_mac: dd:ee:ff:13:7c:f0
        type: fw, id: 0, duration: 361, idled: 12
        expire: 226, allow-idle: 300
        flag(100): wsso
        server: ldap
        packets: in 6697 out 4157, bytes: in 5878252 out 1733021
        group_id: 2
        group_name: LDAP-group

 

When trying to Authenticate by the third device, the following message will be shown:

 

Picture3.jpg

 

 

Related articles:

Technical Tip: Limiting concurrent user authentication

Technical Tip: 'policy-auth-concurrent' system global command clarified