Technical Tip: 'policy-auth-concurrent' system global command clarified

vrajendran · ‎07-17-2012

Description
This article explains 'policy-auth-concurrent' utilization from CLI and clarifies its default value.

Solution
The option 'policy-auth-concurrent' under the system global profile is used to control if the same user can be authenticated for multiple sources at the same time.

Default value for this setting is '0' which means there is no concurrent login limit for users. If this value is set to '1' one user can only be authenticated for one source IP.
That means, if a user has already been authenticated, the auth request for the same user from other sources will be denied.

# config system global
set policy-auth-concurrent (0-100)
end

Example.

# config system global
set policy-auth-concurrent 1
end

With the auth-concurrent limit is set to 1, user can login from only 1 source IP.

Auth-concurrent setting can also be configured at user group or user level. If the concurrent setting is set at user or group level, it will have precedence over the global setting.

# config user local
   edit <name>
        set auth-concurrent-override enable
        set auth-concurrent-value (1-100)
   end

# config user group
   edit "fortilab_exchange"
        set auth-concurrent-override enable
        set auth-concurrent-value (1-100)
   end

Note.
The priority of the auth-concurrent setting is User group -> User -> Global setting.
The auth-concurrent setting applies per VDOM. If the user is authenticated in one firewall policy, it will not be allowed to authenticated.
Auth-concurrent setting only applies to firewall authentication or captive portal authentication users.

Technical Tip: 'policy-auth-concurrent' system global command clarified

You are leaving our website