config user user-group

Use this command to configure user groups. User groups are authorized by the virtual server authorization policy. The user group configuration references the authentication servers that contain valid user credentials.

Suggested steps:

1. Configure LDAP, RADIUS and TACACS+ servers, if applicable.
2. Configure local users.
3. Configure user groups (reference servers and local users).
4. Configure an authorization policy (reference the user group).
5. Configure the virtual server (reference the authorization policy).

Before you begin:

• You must have created configuration objects for any LDAP, RADIUS and/or TACACS+ server you want to use, and you must have created user accounts for local users.
• You must have read-write permission for system settings.

After you have created user groups, you can specify them in the load-balance auth-policy configuration.

Syntax

config user user-group

edit <name>

set auth-log {none|fail|success|all}

set auth-session-timeout <integer>

set auth-timeout <integer>

set user-cache {enable|disable}

set user-cache-timeout <integer>

set client-auth-method {html_form_auth|http_auth|ntlm_auth}

set use-default-form {enable|disable}

set auth_form_profile <datasource>

set group-type {normal|SSO}

set authentication-relay <datasource>

set sso-support {enable|disable}

set sso-domain <string>

set logoff-path <string>

config member

edit <No.>

set type {local|ldap|radius|tacacs_plus}

set local-user {<name> <name> ...}

set ldap-server <datasource>

set radius-server <datasource>

set tacacs-plus-server <datasource>

set strip-domain {enable|disable}

set host_status {enable|disable}

set host <regular_expr_string>

set user_domain_status {enable|disable}

set user_domain <regular_expr_string >

set src_ip_status {enable|disable}

set src_ip <ip_string>

next

end

config user cust_auth_form

edit <name>

set auth_form-file <file>

set username_field <username field name>

set password_field <password field name>

set virtual_path <virtual path>

next

end

next

end

auth-log	Specify one of the following logging options for authentication events: none — No logging fail — Log failed attempts success — Log successful attempts all — Log all (both failed and successful attempts)
auth-session-timeout	Specify the authentication session timeout. Valid values range from 1 to 180 minutes. The default is 3 (minutes).
auth-timeout	Timeout for query sent from FortiADC to a remote authentication server. The default is 2000 milliseconds. The valid range is 1-120,000 milliseconds.
user-cache	Enable to cache the credentials for the remote users (LDAP, RADIUS, TACACS+) once they are authorized.
user-cache-timeout	The user-cache-timeout option is available if user-cache is enabled. Timeout for cached user credentials. The default is 300 seconds. The valid range is 1-86,400 seconds.
client-auth-method	html_form_auth http_auth ntlm_auth (only if you want to use NTLM server as a authentication server)
use-default-form	The use-default-form option is available if client-auth-method is html_form_auth. Enabled by default to use the default authentication form. Disable to use a customized authentication form.
auth_form_profile	The auth_form_profile option is available if client-auth-method is html_form_auth and use-default-form is disabled. Set profile of authentication form. You can use the default or the profile name in cust_auth_form.
group-type	normal — Default. No action is needed. sso — enables Single Sign-On (SSO).
authentication-relay	The authentication-relay option is available if group-type is sso. Set an authentication relay profile.
sso-support	The sso-support option is available if group-type is sso. Enable/disable SSO Cross Domain Support. This is disabled by default. When enabled, you must specify the SSO domain. Note: Authentication policies cannot be applied to multiple virtual servers. Due to security reasons, such as protection against XSS attacks, there is no shared mechanism between virtual servers to decrypt cookies. As a result, you cannot log into a second virtual server while already logged into the first virtual server as the virtual servers are independent from each other. SSO Cross Domain Support allows you to have multiple domain names on the same virtual server (the virtual host), where you can specify a first-level domain name to enable the second-level domain names on the virtual server to decrypt cookies at the same time.
sso-domain	The sso-domain option is available if group-type is sso and sso-support is enabled. Specify the SSO domain.
logoff-path	The logoff-path option is available if group-type is sso. Specify the log-off URL.
config member
type	Authentication server type.
local-user	To add local users, specify the local usernames.
ldap-server	To add LDAP users, specify the LDAP server configuration name.
radius-server	To add RADIUS users, specify the RADIUS server configuration name.
tacacs-plus-server	To add TACACS+ users, specify the TACACS+ server configuration name.
strip-domain	Enable this option to remove the domain prefix from the username before FortiADC sends the authentication request to the member server. When a User Group contains multiple members, FortiADC can use a client-provided domain prefix (e.g., domain\user, user@domain, or domain/user) to route the request to a specific member via Match Conditions. If the backend authentication server (such as LDAP, RADIUS, or Local) only recognizes simple usernames, enabling this option allows FortiADC to use the prefix for routing and then discard it before communicating with the authentication server.
host_status	Enable to match requests based on the HTTP Host header. Use this when different hostnames (such as mail.example.com or vpn.example.com) should be authenticated by different servers.
host	Specify the host as a case-insensitive regular expression (maximum length: 255 characters).
user_domain_status	Enable to match the domain portion of the username. For example, this can be used to distinguish @na.example.com from @emea.example.com when routing users to different LDAP servers.
user_domain	Specify the user domain as a case-insensitive regular expression (maximum length: 255 characters). The domain portion is identified using the @, \, or / separators (e.g., domain\user, user@domain, or domain/user).
src_ip_status	Enable to match requests based on the client IP address or range. This is useful when routing authentication by region, office location, or network segment.
src_ip	Enter an IPv4 or IPv6 address, or a range. Multiple entries (up to 8) can be specified, separated by commas (maximum length: 1024 characters).
config user cust_auth_form
auth_form-file	Profile name of authentication form
username_field	Username field name in customized form
password_field	The password field name in customized form
virtual_path	The virtual path to redirect

Example

config user user-group

edit "normal-group"

set client_auth_method html_form_auth

set auth_form_profile <default/profile_name>

config member

edit 1

set local-user local-user-1

next

edit 2

set type ldap

set ldap-server ldap-server

next

edit 3

set type radius

set radius-server radius-server

next

end

next

config user cust_auth_form

edit "test"

set auth_form-file local-user-1_tst.zip

set username_field user-1

set password_field pw-1

set virtual_path <virtual_path>

next

end

edit "SSO-Kerbros-Group"

set group-type SSO

set authentication-relay auth-relay-1

set logoff-path logoff.html

set sso-support enable

set sso-domain kfor.com

config member

edit 1

set local-user local-user-1

next

edit 2

set type ldap

set ldap-server ldap-server

next

edit 3

set type radius

set radius-server radius-server

next

end

next

edit "SSO-HTTPBasic-Group"

set group-type SSO

set authentication-relay auth-relay-2

set logoff-path logoff

set sso-support enable

set sso-domain sss.com

config member

end

next

end