Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiADC 7.6.0 CLI Reference
    7.6.0
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.2
    6.0.1
    6.0.0
    5.4.5
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.0
    4.8.1
    4.7.0

    config user user-group

    config user user-group

    Use this command to configure user groups. User groups are authorized by the virtual server authorization policy. The user group configuration references the authentication servers that contain valid user credentials.

    Suggested steps:
    1. Configure LDAP, RADIUS and TACACS+ servers, if applicable.
    2. Configure local users.
    3. Configure user groups (reference servers and local users).
    4. Configure an authorization policy (reference the user group).
    5. Configure the virtual server (reference the authorization policy).
    Before you begin:
    • You must have created configuration objects for any LDAP, RADIUS and/or TACACS+ server you want to use, and you must have created user accounts for local users.
    • You must have read-write permission for system settings.

    After you have created user groups, you can specify them in the load-balance auth-policy configuration.

    Syntax

    config user user-group

    edit <name>

    set auth-log {none|fail|success|all}

    set auth-session-timeout <integer>

    set auth-timeout <integer>

    set user-cache {enable|disable}

    set user-cache-timeout <integer>

    set client-auth-method {html_form_auth|http_auth|ntlm_auth}

    set use-default-form {enable|disable}

    set auth_form_profile <datasource>

    set group-type {normal|SSO}

    set authentication-relay <datasource>

    set sso-support {enable|disable}

    set sso-domain <string>

    set logoff-path <string>

    config member

    edit <No.>

    set type {local|ldap|radius|tacacs_plus}

    set local-user {<name> <name> ...}

    set ldap-server <datasource>

    set radius-server <datasource>

    set tacacs-plus-server <datasource>

    next

    end

    config user cust_auth_form

    edit <name>

    set auth_form-file <file>

    set username_field <username field name>

    set password_field <password field name>

    set virtual_path <virtual path>

    next

    end

    next

    end

    auth-log

    Specify one of the following logging options for authentication events:

    • none — No logging
    • fail — Log failed attempts
    • success — Log successful attempts
    • all — Log all (both failed and successful attempts)

    auth-session-timeout

    Specify the authentication session timeout. Valid values range from 1 to 180 minutes. The default is 3 (minutes).

    auth-timeout

    Timeout for query sent from FortiADC to a remote authentication server. The default is 2000 milliseconds. The valid range is 1-60,000 milliseconds.

    user-cache

    Enable to cache the credentials for the remote users (LDAP, RADIUS, TACACS+) once they are authorized.

    user-cache-timeout

    The user-cache-timeout option is available if user-cache is enabled.

    Timeout for cached user credentials. The default is 300 seconds. The valid range is 1-86,400 seconds.

    client-auth-method
    • html_form_auth
    • http_auth
    • ntlm_auth (only if you want to use NTLM server as a authentication server)

    use-default-form

    The use-default-form option is available if client-auth-method is html_form_auth.

    Enabled by default to use the default authentication form. Disable to use a customized authentication form.

    auth_form_profile

    The auth_form_profile option is available if client-auth-method is html_form_auth and use-default-form is disabled.

    Set profile of authentication form. You can use the default or the profile name in cust_auth_form.

    group-type
    • normal — Default. No action is needed.
    • sso — enables Single Sign-On (SSO).

    authentication-relay

    The authentication-relay option is available if group-type is sso.

    Set an authentication relay profile.

    sso-support

    The sso-support option is available if group-type is sso.

    Enable/disable SSO Cross Domain Support. This is disabled by default. When enabled, you must specify the SSO domain.

    Note:
    Authentication policies cannot be applied to multiple virtual servers. Due to security reasons, such as protection against XSS attacks, there is no shared mechanism between virtual servers to decrypt cookies. As a result, you cannot log into a second virtual server while already logged into the first virtual server as the virtual servers are independent from each other.
    SSO Cross Domain Support allows you to have multiple domain names on the same virtual server (the virtual host), where you can specify a first-level domain name to enable the second-level domain names on the virtual server to decrypt cookies at the same time.

    sso-domain

    The sso-domain option is available if group-type is sso and sso-support is enabled.

    Specify the SSO domain.

    logoff-path

    The logoff-path option is available if group-type is sso.

    Specify the log-off URL.

    config member

    type

    Authentication server type.

    local-user

    To add local users, specify the local usernames.

    ldap-server

    To add LDAP users, specify the LDAP server configuration name.

    radius-server

    To add RADIUS users, specify the RADIUS server configuration name.

    tacacs-plus-server

    To add TACACS+ users, specify the TACACS+ server configuration name.

    config user cust_auth_form

    auth_form-file

    Profile name of authentication form

    username_field

    Username field name in customized form

    password_field

    The password field name in customized form

    virtual_path

    The virtual path to redirect

    Example

    config user user-group

    edit "normal-group"

    set client_auth_method html_form_auth

    set auth_form_profile <default/profile_name>

    config member

    edit 1

    set local-user local-user-1

    next

    edit 2

    set type ldap

    set ldap-server ldap-server

    next

    edit 3

    set type radius

    set radius-server radius-server

    next

    end

    next

    config user cust_auth_form

    edit "test"

    set auth_form-file local-user-1_tst.zip

    set username_field user-1

    set password_field pw-1

    set virtual_path <virtual_path>

    next

    end

    edit "SSO-Kerbros-Group"

    set group-type SSO

    set authentication-relay auth-relay-1

    set logoff-path logoff.html

    set sso-support enable

    set sso-domain kfor.com

    config member

    edit 1

    set local-user local-user-1

    next

    edit 2

    set type ldap

    set ldap-server ldap-server

    next

    edit 3

    set type radius

    set radius-server radius-server

    next

    end

    next

    edit "SSO-HTTPBasic-Group"

    set group-type SSO

    set authentication-relay auth-relay-2

    set logoff-path logoff

    set sso-support enable

    set sso-domain sss.com

    config member

    end

    next

    end

    Previous
    Next

    config user user-group

    config user user-group

    Use this command to configure user groups. User groups are authorized by the virtual server authorization policy. The user group configuration references the authentication servers that contain valid user credentials.

    Suggested steps:
    1. Configure LDAP, RADIUS and TACACS+ servers, if applicable.
    2. Configure local users.
    3. Configure user groups (reference servers and local users).
    4. Configure an authorization policy (reference the user group).
    5. Configure the virtual server (reference the authorization policy).
    Before you begin:
    • You must have created configuration objects for any LDAP, RADIUS and/or TACACS+ server you want to use, and you must have created user accounts for local users.
    • You must have read-write permission for system settings.

    After you have created user groups, you can specify them in the load-balance auth-policy configuration.

    Syntax

    config user user-group

    edit <name>

    set auth-log {none|fail|success|all}

    set auth-session-timeout <integer>

    set auth-timeout <integer>

    set user-cache {enable|disable}

    set user-cache-timeout <integer>

    set client-auth-method {html_form_auth|http_auth|ntlm_auth}

    set use-default-form {enable|disable}

    set auth_form_profile <datasource>

    set group-type {normal|SSO}

    set authentication-relay <datasource>

    set sso-support {enable|disable}

    set sso-domain <string>

    set logoff-path <string>

    config member

    edit <No.>

    set type {local|ldap|radius|tacacs_plus}

    set local-user {<name> <name> ...}

    set ldap-server <datasource>

    set radius-server <datasource>

    set tacacs-plus-server <datasource>

    next

    end

    config user cust_auth_form

    edit <name>

    set auth_form-file <file>

    set username_field <username field name>

    set password_field <password field name>

    set virtual_path <virtual path>

    next

    end

    next

    end

    auth-log

    Specify one of the following logging options for authentication events:

    • none — No logging
    • fail — Log failed attempts
    • success — Log successful attempts
    • all — Log all (both failed and successful attempts)

    auth-session-timeout

    Specify the authentication session timeout. Valid values range from 1 to 180 minutes. The default is 3 (minutes).

    auth-timeout

    Timeout for query sent from FortiADC to a remote authentication server. The default is 2000 milliseconds. The valid range is 1-60,000 milliseconds.

    user-cache

    Enable to cache the credentials for the remote users (LDAP, RADIUS, TACACS+) once they are authorized.

    user-cache-timeout

    The user-cache-timeout option is available if user-cache is enabled.

    Timeout for cached user credentials. The default is 300 seconds. The valid range is 1-86,400 seconds.

    client-auth-method
    • html_form_auth
    • http_auth
    • ntlm_auth (only if you want to use NTLM server as a authentication server)

    use-default-form

    The use-default-form option is available if client-auth-method is html_form_auth.

    Enabled by default to use the default authentication form. Disable to use a customized authentication form.

    auth_form_profile

    The auth_form_profile option is available if client-auth-method is html_form_auth and use-default-form is disabled.

    Set profile of authentication form. You can use the default or the profile name in cust_auth_form.

    group-type
    • normal — Default. No action is needed.
    • sso — enables Single Sign-On (SSO).

    authentication-relay

    The authentication-relay option is available if group-type is sso.

    Set an authentication relay profile.

    sso-support

    The sso-support option is available if group-type is sso.

    Enable/disable SSO Cross Domain Support. This is disabled by default. When enabled, you must specify the SSO domain.

    Note:
    Authentication policies cannot be applied to multiple virtual servers. Due to security reasons, such as protection against XSS attacks, there is no shared mechanism between virtual servers to decrypt cookies. As a result, you cannot log into a second virtual server while already logged into the first virtual server as the virtual servers are independent from each other.
    SSO Cross Domain Support allows you to have multiple domain names on the same virtual server (the virtual host), where you can specify a first-level domain name to enable the second-level domain names on the virtual server to decrypt cookies at the same time.

    sso-domain

    The sso-domain option is available if group-type is sso and sso-support is enabled.

    Specify the SSO domain.

    logoff-path

    The logoff-path option is available if group-type is sso.

    Specify the log-off URL.

    config member

    type

    Authentication server type.

    local-user

    To add local users, specify the local usernames.

    ldap-server

    To add LDAP users, specify the LDAP server configuration name.

    radius-server

    To add RADIUS users, specify the RADIUS server configuration name.

    tacacs-plus-server

    To add TACACS+ users, specify the TACACS+ server configuration name.

    config user cust_auth_form

    auth_form-file

    Profile name of authentication form

    username_field

    Username field name in customized form

    password_field

    The password field name in customized form

    virtual_path

    The virtual path to redirect

    Example

    config user user-group

    edit "normal-group"

    set client_auth_method html_form_auth

    set auth_form_profile <default/profile_name>

    config member

    edit 1

    set local-user local-user-1

    next

    edit 2

    set type ldap

    set ldap-server ldap-server

    next

    edit 3

    set type radius

    set radius-server radius-server

    next

    end

    next

    config user cust_auth_form

    edit "test"

    set auth_form-file local-user-1_tst.zip

    set username_field user-1

    set password_field pw-1

    set virtual_path <virtual_path>

    next

    end

    edit "SSO-Kerbros-Group"

    set group-type SSO

    set authentication-relay auth-relay-1

    set logoff-path logoff.html

    set sso-support enable

    set sso-domain kfor.com

    config member

    edit 1

    set local-user local-user-1

    next

    edit 2

    set type ldap

    set ldap-server ldap-server

    next

    edit 3

    set type radius

    set radius-server radius-server

    next

    end

    next

    edit "SSO-HTTPBasic-Group"

    set group-type SSO

    set authentication-relay auth-relay-2

    set logoff-path logoff

    set sso-support enable

    set sso-domain sss.com

    config member

    end

    next

    end

    Previous
    Next