Description
This article covers some frequently asked questions regarding FortiAuthenticator licensing and expands on these documents:
Scope
FortiAuthenticator
Solution
FortiAuthenticator devices have some licensed limits that apply to various configurations. For hardware devices, the limits are inbuilt (though for some models, additional licenses may be purchased).
For a VM, most configuration limits derive from the licensed user count. For example: with a basic 100 user licence, 4 remote RADIUS servers (users divided by 25) and 10 user groups (users divided by 10) may be created. The limits (and calculating metric) are listed in the release notes of each firmware version.
The following topics answer common questions about FortiAuthenticator licensing.
1. How users are counted.
FortiAuthenticator counts as 'user' any user account created on it; this includes local users, remote users, and guest users. Some use cases do NOT require a user account be created on FortiAuthenticator, and thus do not consume user licences.
Only accounts on FortiAuthenticator are counted; the number of devices/MAC-Addresses/active connections associated with each user has no impact.
2. Guest users count towards the license limit.
Guest users count towards the license limit. However, guest user accounts usually only have a limited duration, and enabling purging expired accounts (under Authentication -> User Account Policies -> General) will delete the guest user accounts and free up license count again.
3. How machine-based authentication (not user-based authentication) may or may not count towards the license limit.
If using MAC-based authentication or MAC-Bypass, FortiAuthenticator checks the provided MAC address against the MAC Devices it has stored (under Authentication -> User Management -> MAC Devices; the limit is equal to the user count multiplied by five), this does not use up any user count.
If using EAP-TLS authentication with certificates, this does count towards the license limit because FortiAuthenticator needs to have an imported 'user' (the computer account from LDAP) to check the client certificate against (KB on how to configure EAP-TLS with computer authentication. See Technical Tip: FortiAuthenticator 802.1x EAP-TLS with computer authentication). In this case, the computer itself is counted as a user, no matter who or how many users are actually logged in on the computer.
4. What happens if the user licenses are exhausted.
The FortiAuthenticator will keep functioning when this occurs. However, it is not possible to create new local, remote or guest users, and Remote User Sync rules will fail in importing users beyond the license limit. There is no grace period: as soon as the license limit is reached, no new users can be created and old users must be deleted first (or the license must be upgraded) to allow creation of additional users.
5. What happens if the license IP is changed on FortiAuthenticator.
In this case, the license will enter the 'Disabled' status and enforce limits as if the FortiAuthenticator is unlicensed. No existing configuration will be removed and FortiAuthenticator will continue to function, but it will not be possible to add additional users and other configuration items until the mismatch between IP and license is fixed.
6. How to apply updated licence limits (or a changed IP) to FortiAuthenticator.
If license limits are changed or the IP the license is linked to is changed, the license file must be downloaded from the support page (support.fortinet.com) by downloading the license file under Asset -> The FortiAuthenticator in question. Upload the file to FortiAuthenticator to apply the license changes.
Note: This will trigger a reboot. Additionally, interface IPs will need to be changed manually to reflect the new license.
