Fortinet black logo

CLI Reference

config user user-group

Use this command to configure user groups. User groups are authorized by the virtual server authorization policy. The user group configuration references the authentication servers that contain valid user credentials.

Suggested steps:
  1. Configure LDAP, RADIUS and TACACS+ servers, if applicable.
  2. Configure local users.
  3. Configure user groups (reference servers and local users).
  4. Configure an authorization policy (reference the user group).
  5. Configure the virtual server (reference the authorization policy).
Before you begin:
  • You must have created configuration objects for any LDAP, RADIUS and/or TACACS+ server you want to use, and you must have created user accounts for local users.
  • You must have read-write permission for system settings.

After you have created user groups, you can specify them in the load-balance auth-policy configuration.

Syntax

config user user-group

edit <name>

set auth-log {none|fail|success|all}

set auth-session-timeout <integer>

set auth-timeout <integer>

set user-cache {enable|disable}

set user-cache-timeout <integer>

set client-auth-method {html_form_auth|http_auth|ntlm_auth}

set use-default-form {enable|disable}

set auth_form_profile <datasource>

set group-type {normal|SSO}

set authentication-relay <datasource>

set sso-support {enable|disable}

set sso-domain <string>

set logoff-path <string>

config member

edit <No.>

set type {local|ldap|radius|tacacs_plus}

set local-user {<name> <name> ...}

set ldap-server <datasource>

set radius-server <datasource>

set tacacs-plus-server <datasource>

next

end

config user cust_auth_form

edit <name>

set auth_form-file <file>

set username_field <username field name>

set password_field <password field name>

set virtual_path <virtual path>

next

end

next

end

auth-log

Specify one of the following logging options for authentication events:

  • none — No logging
  • fail — Log failed attempts
  • success — Log successful attempts
  • all — Log all (both failed and successful attempts)

auth-session-timeout

Specify the authentication session timeout. Valid values range from 1 to 180 minutes. The default is 3 (minutes).

auth-timeout

Timeout for query sent from FortiADC to a remote authentication server. The default is 2000 milliseconds. The valid range is 1-60,000 milliseconds.

user-cache

Enable to cache the credentials for the remote users (LDAP, RADIUS, TACACS+) once they are authorized.

user-cache-timeout

The user-cache-timeout option is available if user-cache is enabled.

Timeout for cached user credentials. The default is 300 seconds. The valid range is 1-86,400 seconds.

client-auth-method

  • html_form_auth
  • http_auth
  • ntlm_auth (only if you want to use NTLM server as a authentication server)

use-default-form

The use-default-form option is available if client-auth-method is html_form_auth.

Enabled by default to use the default authentication form. Disable to use a customized authentication form.

auth_form_profile

The auth_form_profile option is available if client-auth-method is html_form_auth and use-default-form is disabled.

Set profile of authentication form. You can use the default or the profile name in cust_auth_form.

group-type

  • normal — Default. No action is needed.
  • sso — enables Single Sign-On (SSO).

authentication-relay

The authentication-relay option is available if group-type is sso.

Set an authentication relay profile.

sso-support

The sso-support option is available if group-type is sso.

Enable/disable SSO Cross Domain Support. This is disabled by default. When enabled, you must specify the SSO domain.

Note:
Authentication policies cannot be applied to multiple virtual servers. Due to security reasons, such as protection against XSS attacks, there is no shared mechanism between virtual servers to decrypt cookies. As a result, you cannot log into a second virtual server while already logged into the first virtual server as the virtual servers are independent from each other.
SSO Cross Domain Support allows you to have multiple domain names on the same virtual server (the virtual host), where you can specify a first-level domain name to enable the second-level domain names on the virtual server to decrypt cookies at the same time.

sso-domain

The sso-domain option is available if group-type is sso and sso-support is enabled.

Specify the SSO domain.

logoff-path

The logoff-path option is available if group-type is sso.

Specify the log-off URL.

config member

type

Authentication server type.

local-user

To add local users, specify the local usernames.

ldap-server

To add LDAP users, specify the LDAP server configuration name.

radius-server

To add RADIUS users, specify the RADIUS server configuration name.

tacacs-plus-server

To add TACACS+ users, specify the TACACS+ server configuration name.

config user cust_auth_form

auth_form-file

Profile name of authentication form

username_field

Username field name in customized form

password_field

The password field name in customized form

virtual_path

The virtual path to redirect

Example

config user user-group

edit "normal-group"

set client_auth_method html_form_auth

set auth_form_profile <default/profile_name>

config member

edit 1

set local-user local-user-1

next

edit 2

set type ldap

set ldap-server ldap-server

next

edit 3

set type radius

set radius-server radius-server

next

end

next

config user cust_auth_form

edit "test"

set auth_form-file local-user-1_tst.zip

set username_field user-1

set password_field pw-1

set virtual_path <virtual_path>

next

end

edit "SSO-Kerbros-Group"

set group-type SSO

set authentication-relay auth-relay-1

set logoff-path logoff.html

set sso-support enable

set sso-domain kfor.com

config member

edit 1

set local-user local-user-1

next

edit 2

set type ldap

set ldap-server ldap-server

next

edit 3

set type radius

set radius-server radius-server

next

end

next

edit "SSO-HTTPBasic-Group"

set group-type SSO

set authentication-relay auth-relay-2

set logoff-path logoff

set sso-support enable

set sso-domain sss.com

config member

end

next

end

Use this command to configure user groups. User groups are authorized by the virtual server authorization policy. The user group configuration references the authentication servers that contain valid user credentials.

Suggested steps:
  1. Configure LDAP, RADIUS and TACACS+ servers, if applicable.
  2. Configure local users.
  3. Configure user groups (reference servers and local users).
  4. Configure an authorization policy (reference the user group).
  5. Configure the virtual server (reference the authorization policy).
Before you begin:
  • You must have created configuration objects for any LDAP, RADIUS and/or TACACS+ server you want to use, and you must have created user accounts for local users.
  • You must have read-write permission for system settings.

After you have created user groups, you can specify them in the load-balance auth-policy configuration.

Syntax

config user user-group

edit <name>

set auth-log {none|fail|success|all}

set auth-session-timeout <integer>

set auth-timeout <integer>

set user-cache {enable|disable}

set user-cache-timeout <integer>

set client-auth-method {html_form_auth|http_auth|ntlm_auth}

set use-default-form {enable|disable}

set auth_form_profile <datasource>

set group-type {normal|SSO}

set authentication-relay <datasource>

set sso-support {enable|disable}

set sso-domain <string>

set logoff-path <string>

config member

edit <No.>

set type {local|ldap|radius|tacacs_plus}

set local-user {<name> <name> ...}

set ldap-server <datasource>

set radius-server <datasource>

set tacacs-plus-server <datasource>

next

end

config user cust_auth_form

edit <name>

set auth_form-file <file>

set username_field <username field name>

set password_field <password field name>

set virtual_path <virtual path>

next

end

next

end

auth-log

Specify one of the following logging options for authentication events:

  • none — No logging
  • fail — Log failed attempts
  • success — Log successful attempts
  • all — Log all (both failed and successful attempts)

auth-session-timeout

Specify the authentication session timeout. Valid values range from 1 to 180 minutes. The default is 3 (minutes).

auth-timeout

Timeout for query sent from FortiADC to a remote authentication server. The default is 2000 milliseconds. The valid range is 1-60,000 milliseconds.

user-cache

Enable to cache the credentials for the remote users (LDAP, RADIUS, TACACS+) once they are authorized.

user-cache-timeout

The user-cache-timeout option is available if user-cache is enabled.

Timeout for cached user credentials. The default is 300 seconds. The valid range is 1-86,400 seconds.

client-auth-method

  • html_form_auth
  • http_auth
  • ntlm_auth (only if you want to use NTLM server as a authentication server)

use-default-form

The use-default-form option is available if client-auth-method is html_form_auth.

Enabled by default to use the default authentication form. Disable to use a customized authentication form.

auth_form_profile

The auth_form_profile option is available if client-auth-method is html_form_auth and use-default-form is disabled.

Set profile of authentication form. You can use the default or the profile name in cust_auth_form.

group-type

  • normal — Default. No action is needed.
  • sso — enables Single Sign-On (SSO).

authentication-relay

The authentication-relay option is available if group-type is sso.

Set an authentication relay profile.

sso-support

The sso-support option is available if group-type is sso.

Enable/disable SSO Cross Domain Support. This is disabled by default. When enabled, you must specify the SSO domain.

Note:
Authentication policies cannot be applied to multiple virtual servers. Due to security reasons, such as protection against XSS attacks, there is no shared mechanism between virtual servers to decrypt cookies. As a result, you cannot log into a second virtual server while already logged into the first virtual server as the virtual servers are independent from each other.
SSO Cross Domain Support allows you to have multiple domain names on the same virtual server (the virtual host), where you can specify a first-level domain name to enable the second-level domain names on the virtual server to decrypt cookies at the same time.

sso-domain

The sso-domain option is available if group-type is sso and sso-support is enabled.

Specify the SSO domain.

logoff-path

The logoff-path option is available if group-type is sso.

Specify the log-off URL.

config member

type

Authentication server type.

local-user

To add local users, specify the local usernames.

ldap-server

To add LDAP users, specify the LDAP server configuration name.

radius-server

To add RADIUS users, specify the RADIUS server configuration name.

tacacs-plus-server

To add TACACS+ users, specify the TACACS+ server configuration name.

config user cust_auth_form

auth_form-file

Profile name of authentication form

username_field

Username field name in customized form

password_field

The password field name in customized form

virtual_path

The virtual path to redirect

Example

config user user-group

edit "normal-group"

set client_auth_method html_form_auth

set auth_form_profile <default/profile_name>

config member

edit 1

set local-user local-user-1

next

edit 2

set type ldap

set ldap-server ldap-server

next

edit 3

set type radius

set radius-server radius-server

next

end

next

config user cust_auth_form

edit "test"

set auth_form-file local-user-1_tst.zip

set username_field user-1

set password_field pw-1

set virtual_path <virtual_path>

next

end

edit "SSO-Kerbros-Group"

set group-type SSO

set authentication-relay auth-relay-1

set logoff-path logoff.html

set sso-support enable

set sso-domain kfor.com

config member

edit 1

set local-user local-user-1

next

edit 2

set type ldap

set ldap-server ldap-server

next

edit 3

set type radius

set radius-server radius-server

next

end

next

edit "SSO-HTTPBasic-Group"

set group-type SSO

set authentication-relay auth-relay-2

set logoff-path logoff

set sso-support enable

set sso-domain sss.com

config member

end

next

end