Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
imran
New Contributor

User Authentication on Fortinet

I am using FortiGate 1000C and i have users our the network which browse internet after successfully authentication ..actually we have applied different policies on different groups .Some user share their username / passwords with their so the other one can access the websites/applications.We want to active the user at only one workstation rather than it'll have sessions on different 

If some other uses the same credentials .it shouldn't be login.

3 REPLIES 3
Carl_Windsor_FTNT

It is possible to set the "Maximum concurrent user sessions" to 1 under Fortinet SSO Methods > SSO > General, however on second login, it will invalidate the first (not prevent the second).  Enforcing a single session would cause problems when a user legitimately moves from one device to another (and a logoff is not detected from the first session).

 

This sounds more like a need for user training on the organisation acceptable use policy as nobody should ever share their password as they will become liable for the actions of others. 

 

Dr. Carl Windsor Field Chief Technology Officer Fortinet

imran

Hi carl

Yes you are right we've the policy but no strict,thats why user are sharing passwords

 

One more thing i want to know if i apply SSO method how it'll affect the existing authentication that is LDAP servers

 

Thanks

imran

xsilver_FTNT

Hello Imran,

there is no direct impact or interference between authentication methods.The one defined by used firewall policy will be used.

I would not suggest to use two different (SSO and LDAP) based authentication user groups in a single policy, but rather use automatic fall through (FortiOS 5.2 and later), or explicitly stated fall-through on older FortiOS (4.3-5.0), and have two consecutive identity based policies. First with FSSO (passive auth, no user input needed) and second one with active method like LDAP captive portal.

Even NTLM can be used as 'passive' method if set properly on FortiGate and workstations.

 

Best regards,

Tomas

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors