config user user-group
Use this command to configure user groups. User groups are authorized by the virtual server authorization policy. The user group configuration references the authentication servers that contain valid user credentials.
Suggested steps:
- Configure LDAP and RADIUS servers, if applicable.
- Configure local users.
- Configure user groups (reference servers and local users).
- Configure an authorization policy (reference the user group).
- Configure the virtual server (reference the authorization policy).
Before you begin:
- You must have created configuration objects for any LDAP and RADIUS server you want to use, and you must have created user accounts for local users.
- You must have read-write permission for system settings.
After you have created user groups, you can specify them in the load-balance auth-policy configuration.
Syntax
config user user-group
edit <name>
set auth-log {none|fail|success|all}
set auth-timeout <integer>
set user-cache {enable|disable}
set user-cache-timeout <integer>
set client-auth-method http_auth|html_form_auth
set auth_form_profile <default/profile_name>
set group-type normal|SSO
config member
edit <No.>
set type {local|ldap|radius}
set local-user {<name> <name> ...}
set ldap-server <datasource>
set radius-server <datasource>
next
end
config user cust_auth_form
edit <name>
set auth_form-file <file>
set username_field <username field name>
set password_field <password field name>
set virtual_path <virtual path>
next
end
next
end
|
auth-log |
Specify one of the following logging options for authentication events:
|
|
auth-timeout |
Timeout for query sent from FortiADC to a remote authentication server. |
|
user-cache |
Enable to cache the credentials for the remote users (LDAP, RADIUS) once they are authorized. |
|
user-cache-timeout |
Timeout for cached user credentials. |
|
client-auth-method |
Specify http_auth or html_form_auth. |
|
auth_form_profile |
Set profile of authentication form. You can use the default or the profile name in cust_auth_form |
|
group-type |
Specify normal or SSO. |
|
config member |
|
|
type |
Authentication server type. |
|
local-user |
To add local users, specify the local usernames. |
|
ldap-server |
To add LDAP users, specify the LDAP server configuration name. |
|
radius-server |
To add RADIUS users, specify the server configuration name. |
|
config user cust_auth_form |
|
|
auth_form-file |
Profile name of authentication form |
|
username_field |
Username field name in customized form |
|
password_field |
The password field name in customized form |
|
virtual_path |
The virtual path to redirect |
Example
config user user-group
edit "normal-group"
set client_auth_method html_form_auth
set auth_form_profile <default/profile_name>
config member
edit 1
set local-user local-user-1
next
edit 2
set type ldap
set ldap-server ldap-server
next
edit 3
set type radius
set radius-server radius-server
next
end
next
config user cust_auth_form
edit "test"
set auth_form-file local-user-1_tst.zip
set username_field user-1
set password_field pw-1
set virtual_path <virtual_path>
next
end
edit "SSO-Kerbros-Group"
set group-type SSO
set authentication-relay auth-relay-1
set logoff-path logoff.html
set sso-support enable
set sso-domain kfor.com
config member
edit 1
set local-user local-user-1
next
edit 2
set type ldap
set ldap-server ldap-server
next
edit 3
set type radius
set radius-server radius-server
next
end
next
edit "SSO-HTTPBasic-Group"
set group-type SSO
set authentication-relay auth-relay-2
set logoff-path logoff
set sso-support enable
set sso-domain sss.com
config member
end
next
end