authentication scheme
Configure authentication schemes.
History
The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.1.
Command | Description |
---|---|
set kerberos-keytab <keytab> |
Specify Kerberos keytab to use, in order to avoid authorization failures when multiple keytabs have been created for multiple domains/servers. Note that |
The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.
Command | Description |
---|---|
set domain-controller <dc-setting> |
Add domain controller setting in the authentication scheme. Note that this entry is only available when |
set method {ssh-publickey | ...} set user-database <server-name> set ssh-ca <ca-cert-name> |
New public key based SSH authentication scheme. The user name is embedded in Note that both |
config authentication scheme edit {name} # Configure Authentication Schemes. set name {string} Authentication scheme name. size[35] set method {option} Authentication methods (default = basic). ntlm NTLM authentication. basic Basic HTTP authentication. digest Digest HTTP authentication. form Form-based HTTP authentication. negotiate Negotiate authentication. fsso Fortinet Single Sign-On (FSSO) authentication. rsso RADIUS Single Sign-On (RSSO) authentication. ssh-publickey Public key based SSH authentication. set negotiate-ntlm {enable | disable} Enable/disable negotiate authentication for NTLM (default = disable). set kerberos-keytab {string} Kerberos keytab setting. size[35] - datasource(s): user.krb-keytab.name set domain-controller {string} Domain controller setting. size[35] - datasource(s): user.domain-controller.name set fsso-agent-for-ntlm {string} FSSO agent to use for NTLM authentication. size[35] - datasource(s): user.fsso.name set require-tfa {enable | disable} Enable/disable two-factor authentication (default = disable). set fsso-guest {enable | disable} Enable/disable user fsso-guest authentication (default = disable). config user-database edit {name} # Authentication server to contain user information; "local" (default) or "123" (for LDAP). set name {string} Authentication server name. size[64] - datasource(s): system.datasource.name,user.radius.name,user.tacacs+.name,user.ldap.name,user.group.name next set ssh-ca {string} SSH CA name. size[35] - datasource(s): firewall.ssh.local-ca.name next end
Additional information
The following section is for those options that require additional explanation.
fsso-guest {enable | disable}
Note: This entry is only available when method is set to ntlm, basic, digest, or negotiate.
Enable or disable (by default) user fsso-guest.
method {ntlm | basic | digest | form | negotiate | fsso | rsso | ssh-publickey}
Configure the authentication method for this scheme.
- ntlm: NTLM authentication. Note that this can only be set when an FSSO agent has been configured.
- basic: Basic HTTP authentication.
- digest: Digest HTTP authentication.
- form: Form-based HTTP authentication.
- negotiate: Negotiate authentication.
- fsso: Fortinet Single Sign-On authentication. Note that this can only be set when an FSSO agent has been configured.
- rsso: RADIUS Single Sign-On authentication. Note that this can only be set when an RSSO server has been enabled.
- ssh-publickey: Public key based authentication.
negotiate-ntlm {enable | disable}
Note: This entry is only available when method is set to negotiate.
Enable or disable (by default) NTLM negotiation.
require-tfa {enable | disable}
Note: This entry is only available when method is set to form.
Enable or disable (by default) two-factor authentication.
user-database <name>
Note: This entry is only available when method is set to basic, digest, or form.
Configure the authentication server that contains user information; either local, RADIUS, TACACS+, or LDAP.