Monday, January 9, 2017

Configuring password expiration for FortiGate users


A FortiGate device allows you to create a password policy for administrative accounts via the web interface.  Unfortunately this functionality is not exposed for normal, local user accounts.  Typically this isn't a big pain point as I would imagine that most customers would make use of external authentication (FSSO / LDAP / Radius etc.).  That said, I recently had a situation where a client had a bunch of local users configured and they wanted to implement password expiry, with users being prompted to change passwords upon expiry.  Authentication was done via Captive Portal.

The FortiOS handbook came up blank, but a chat with my Fortinet SE provided me with a solution.  First we need to configure the actual policy, then apply it to a user account. 

The password policy is configured like so:

config user password-policy
edit "pwpol01"
set expire-days 2
set warn-days 1

We then apply it to a user:

config user local
edit "user01"
set type password
set passwd-policy "pwpol01"

Unfortunately password policies can only be applied to users, and not to groups, so it is a bit of a pain if you have lots of users, although in that use case you will be better off using external authentication or FortiAuthenticator.  When the configurable number of days has been reached, the user will be prompted via their captive portal to renew their password before the expiration day is reached.