Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

User groups

Users can be assigned to groups during user account configuration (see Editing a user), or by editing the groups to add users to it.

To view the user groups list, go to Authentication > User Management > User Groups.

note icon

Note that user groups can be created for MAC devices. However, MAC devices will only be available to add in a MAC user group after devices have been created or imported. See MAC devices for more information.

To create a new user group:
  1. Go to Authentication > User Management > User Groups and select Create New.
  2. Enter the following information:
    Name Enter a name for the group.
    Type Select the type of group: Local, Remote LDAP, Remote RADIUS, Remote SAML, or MAC.

    Guest Group

    Enable to include the user group to the list of groups that sponsors can assign to new guest user accounts.

    This option is only available if Type is Local.

    This option is disabled by default.

    Users

    Select users from the search box.

    This option is only available if Type is Local.

    Password policy

    Select a password policy from the dropdown.

    A default password policy is already selected, see Passwords.

    This option is only available if Type is Local.

    Usage Profile

    Enable to determine user time and data usage on a granular level.

    Select a usage profile from the dropdown. At least one usage profile must already be configured, see Usage profile.

    This option is only available if Type is Local, Remote LDAP, or Remote RADIUS.

    User retrieval

    Determine group membership by selecting either Specify an LDAP filter or Set a list of imported remote LDAP users.

    This option is only available if Type is Remote LDAP.

    Remote LDAP

    Select a remote LDAP server from the dropdown menu. At least one remote LDAP server must already be configured, see Remote authentication servers.

    This option is only available if Type is Remote LDAP.

    Remote RADIUS

    Select a remote RADIUS server from the dropdown menu. At least one remote RADIUS server must already be configured, see Remote authentication servers.

    This option is only available if Type is Remote RADIUS.

    LDAP filter

    Enter an LDAP filter.

    Select Set Group Filter to set the LDAP filter. This opens the Set Group Filter window where you can select one or more groups within the tree to build the LDAP filter string. Click Use Filter to confirm the selection.

    Once the groups have been selected, the LDAP filter string is set to the proper syntax that filters the selected groups.

    The objectClass and the memberOf portion must be set according to the User object class and the Group membership attribute setting of the remote LDAP server configuration respectively. See LDAP.

    If the LDAP filter is already configured with a non-empty value, selecting Set Group Filter attempts to interpret the LDAP filter value to preselect the already configured groups in the LDAP tree. However, if the LDAP filter value does not match the string generated by Set Group Filter, the existing filter is ignored, and Set Group Filter opens with no preselected groups. Clicking Use Filter overwrites the previous LDAP filter.

    Select Test Filter to test that the filter functions as expected. FortiAuthenticator shows an LDAP tree with all the users that match the current remote LDAP server setting (i.e., the users that the sync rule syncs when it runs).

    This option is only available if Type is Remote LDAP and User retrieval is set to Specify an LDAP filter.

    LDAP users

    Select remote LDAP users from the LDAP users search box.

    This option is only available if Type is Remote LDAP and User retrieval is set to Set a list of imported remote users.

    RADIUS users

    Select remote RADIUS users from the RADIUS users search box.

    This option is only available if Type is Remote RADIUS.

    Remote saml

    Select a remote SAML server from the dropdown menu. At least one remote SAML server must already be configured, see Remote authentication servers.

    This option is only available if Type is Remote SAML.

    SAML users

    Select remote SAML users from the SAML users search box.

    This option is only available if Type is Remote SAML.

    MAC devices

    Select from Available MAC Devices and move them to the Chosen MAC Devices box to add them to the group.

    This option is only available if Type is MAC.

    TACACS+ Authorization

    Select a TACACS+ authorization rule to apply to the user group.

  3. Select OK to create the new group.
To edit a user group:
  1. In the user group list, select the group that you need to edit.
  2. Edit the settings as required. The settings are the same as when creating a new group.
  3. Select OK to apply your changes.

User groups for MAC-based RADIUS authentication

Once created, MAC user groups can then be used under the MAC-based authentication section of RADIUS clients, under Authentication > RADIUS Service > Clients. See RADIUS service for more information.

User groups

Users can be assigned to groups during user account configuration (see Editing a user), or by editing the groups to add users to it.

To view the user groups list, go to Authentication > User Management > User Groups.

note icon

Note that user groups can be created for MAC devices. However, MAC devices will only be available to add in a MAC user group after devices have been created or imported. See MAC devices for more information.

To create a new user group:
  1. Go to Authentication > User Management > User Groups and select Create New.
  2. Enter the following information:
    Name Enter a name for the group.
    Type Select the type of group: Local, Remote LDAP, Remote RADIUS, Remote SAML, or MAC.

    Guest Group

    Enable to include the user group to the list of groups that sponsors can assign to new guest user accounts.

    This option is only available if Type is Local.

    This option is disabled by default.

    Users

    Select users from the search box.

    This option is only available if Type is Local.

    Password policy

    Select a password policy from the dropdown.

    A default password policy is already selected, see Passwords.

    This option is only available if Type is Local.

    Usage Profile

    Enable to determine user time and data usage on a granular level.

    Select a usage profile from the dropdown. At least one usage profile must already be configured, see Usage profile.

    This option is only available if Type is Local, Remote LDAP, or Remote RADIUS.

    User retrieval

    Determine group membership by selecting either Specify an LDAP filter or Set a list of imported remote LDAP users.

    This option is only available if Type is Remote LDAP.

    Remote LDAP

    Select a remote LDAP server from the dropdown menu. At least one remote LDAP server must already be configured, see Remote authentication servers.

    This option is only available if Type is Remote LDAP.

    Remote RADIUS

    Select a remote RADIUS server from the dropdown menu. At least one remote RADIUS server must already be configured, see Remote authentication servers.

    This option is only available if Type is Remote RADIUS.

    LDAP filter

    Enter an LDAP filter.

    Select Set Group Filter to set the LDAP filter. This opens the Set Group Filter window where you can select one or more groups within the tree to build the LDAP filter string. Click Use Filter to confirm the selection.

    Once the groups have been selected, the LDAP filter string is set to the proper syntax that filters the selected groups.

    The objectClass and the memberOf portion must be set according to the User object class and the Group membership attribute setting of the remote LDAP server configuration respectively. See LDAP.

    If the LDAP filter is already configured with a non-empty value, selecting Set Group Filter attempts to interpret the LDAP filter value to preselect the already configured groups in the LDAP tree. However, if the LDAP filter value does not match the string generated by Set Group Filter, the existing filter is ignored, and Set Group Filter opens with no preselected groups. Clicking Use Filter overwrites the previous LDAP filter.

    Select Test Filter to test that the filter functions as expected. FortiAuthenticator shows an LDAP tree with all the users that match the current remote LDAP server setting (i.e., the users that the sync rule syncs when it runs).

    This option is only available if Type is Remote LDAP and User retrieval is set to Specify an LDAP filter.

    LDAP users

    Select remote LDAP users from the LDAP users search box.

    This option is only available if Type is Remote LDAP and User retrieval is set to Set a list of imported remote users.

    RADIUS users

    Select remote RADIUS users from the RADIUS users search box.

    This option is only available if Type is Remote RADIUS.

    Remote saml

    Select a remote SAML server from the dropdown menu. At least one remote SAML server must already be configured, see Remote authentication servers.

    This option is only available if Type is Remote SAML.

    SAML users

    Select remote SAML users from the SAML users search box.

    This option is only available if Type is Remote SAML.

    MAC devices

    Select from Available MAC Devices and move them to the Chosen MAC Devices box to add them to the group.

    This option is only available if Type is MAC.

    TACACS+ Authorization

    Select a TACACS+ authorization rule to apply to the user group.

  3. Select OK to create the new group.
To edit a user group:
  1. In the user group list, select the group that you need to edit.
  2. Edit the settings as required. The settings are the same as when creating a new group.
  3. Select OK to apply your changes.

User groups for MAC-based RADIUS authentication

Once created, MAC user groups can then be used under the MAC-based authentication section of RADIUS clients, under Authentication > RADIUS Service > Clients. See RADIUS service for more information.