Fortinet black logo

CLI Reference

authentication scheme

authentication scheme

Configure authentication schemes.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.1.

Command Description

set kerberos-keytab <keytab>

Specify Kerberos keytab to use, in order to avoid authorization failures when multiple keytabs have been created for multiple domains/servers.

Note that kerberos-keytab is only available when method is set to negotiate.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set domain-controller <dc-setting>

Add domain controller setting in the authentication scheme.

Note that this entry is only available when method is set to ntlm and/or negotiate-ntlm is set to enable.

set method {ssh-publickey | ...}

set user-database <server-name>

set ssh-ca <ca-cert-name>

New public key based SSH authentication scheme.

The user name is embedded in ssh-publickey. User group information will be retrieved if the public key is validated by the CA.

Note that both user-database and ssh-ca are only available when method is set to ssh-publickey.

config authentication scheme
    edit {name}
    # Configure Authentication Schemes.
        set name {string}   Authentication scheme name. size[35]
        set method {option}   Authentication methods (default = basic).
                ntlm           NTLM authentication.
                basic          Basic HTTP authentication.
                digest         Digest HTTP authentication.
                form           Form-based HTTP authentication.
                negotiate      Negotiate authentication.
                fsso           Fortinet Single Sign-On (FSSO) authentication.
                rsso           RADIUS Single Sign-On (RSSO) authentication.
                ssh-publickey  Public key based SSH authentication.
        set negotiate-ntlm {enable | disable}   Enable/disable negotiate authentication for NTLM (default = disable).
        set kerberos-keytab {string}   Kerberos keytab setting. size[35] - datasource(s): user.krb-keytab.name
        set domain-controller {string}   Domain controller setting. size[35] - datasource(s): user.domain-controller.name
        set fsso-agent-for-ntlm {string}   FSSO agent to use for NTLM authentication. size[35] - datasource(s): user.fsso.name
        set require-tfa {enable | disable}   Enable/disable two-factor authentication (default = disable).
        set fsso-guest {enable | disable}   Enable/disable user fsso-guest authentication (default = disable).
        config user-database
            edit {name}
            # Authentication server to contain user information; "local" (default) or "123" (for LDAP).
                set name {string}   Authentication server name. size[64] - datasource(s): system.datasource.name,user.radius.name,user.tacacs+.name,user.ldap.name,user.group.name
            next
        set ssh-ca {string}   SSH CA name. size[35] - datasource(s): firewall.ssh.local-ca.name
    next
end

Additional information

The following section is for those options that require additional explanation.

fsso-guest {enable | disable}

Note: This entry is only available when method is set to ntlm, basic, digest, or negotiate.

Enable or disable (by default) user fsso-guest.

method {ntlm | basic | digest | form | negotiate | fsso | rsso | ssh-publickey}

Configure the authentication method for this scheme.

  • ntlm: NTLM authentication. Note that this can only be set when an FSSO agent has been configured.
  • basic: Basic HTTP authentication.
  • digest: Digest HTTP authentication.
  • form: Form-based HTTP authentication.
  • negotiate: Negotiate authentication.
  • fsso: Fortinet Single Sign-On authentication. Note that this can only be set when an FSSO agent has been configured.
  • rsso: RADIUS Single Sign-On authentication. Note that this can only be set when an RSSO server has been enabled.
  • ssh-publickey: Public key based authentication.

negotiate-ntlm {enable | disable}

Note: This entry is only available when method is set to negotiate.

Enable or disable (by default) NTLM negotiation.

require-tfa {enable | disable}

Note: This entry is only available when method is set to form.

Enable or disable (by default) two-factor authentication.

user-database <name>

Note: This entry is only available when method is set to basic, digest, or form.

Configure the authentication server that contains user information; either local, RADIUS, TACACS+, or LDAP.

authentication scheme

Configure authentication schemes.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.1.

Command Description

set kerberos-keytab <keytab>

Specify Kerberos keytab to use, in order to avoid authorization failures when multiple keytabs have been created for multiple domains/servers.

Note that kerberos-keytab is only available when method is set to negotiate.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set domain-controller <dc-setting>

Add domain controller setting in the authentication scheme.

Note that this entry is only available when method is set to ntlm and/or negotiate-ntlm is set to enable.

set method {ssh-publickey | ...}

set user-database <server-name>

set ssh-ca <ca-cert-name>

New public key based SSH authentication scheme.

The user name is embedded in ssh-publickey. User group information will be retrieved if the public key is validated by the CA.

Note that both user-database and ssh-ca are only available when method is set to ssh-publickey.

config authentication scheme
    edit {name}
    # Configure Authentication Schemes.
        set name {string}   Authentication scheme name. size[35]
        set method {option}   Authentication methods (default = basic).
                ntlm           NTLM authentication.
                basic          Basic HTTP authentication.
                digest         Digest HTTP authentication.
                form           Form-based HTTP authentication.
                negotiate      Negotiate authentication.
                fsso           Fortinet Single Sign-On (FSSO) authentication.
                rsso           RADIUS Single Sign-On (RSSO) authentication.
                ssh-publickey  Public key based SSH authentication.
        set negotiate-ntlm {enable | disable}   Enable/disable negotiate authentication for NTLM (default = disable).
        set kerberos-keytab {string}   Kerberos keytab setting. size[35] - datasource(s): user.krb-keytab.name
        set domain-controller {string}   Domain controller setting. size[35] - datasource(s): user.domain-controller.name
        set fsso-agent-for-ntlm {string}   FSSO agent to use for NTLM authentication. size[35] - datasource(s): user.fsso.name
        set require-tfa {enable | disable}   Enable/disable two-factor authentication (default = disable).
        set fsso-guest {enable | disable}   Enable/disable user fsso-guest authentication (default = disable).
        config user-database
            edit {name}
            # Authentication server to contain user information; "local" (default) or "123" (for LDAP).
                set name {string}   Authentication server name. size[64] - datasource(s): system.datasource.name,user.radius.name,user.tacacs+.name,user.ldap.name,user.group.name
            next
        set ssh-ca {string}   SSH CA name. size[35] - datasource(s): firewall.ssh.local-ca.name
    next
end

Additional information

The following section is for those options that require additional explanation.

fsso-guest {enable | disable}

Note: This entry is only available when method is set to ntlm, basic, digest, or negotiate.

Enable or disable (by default) user fsso-guest.

method {ntlm | basic | digest | form | negotiate | fsso | rsso | ssh-publickey}

Configure the authentication method for this scheme.

  • ntlm: NTLM authentication. Note that this can only be set when an FSSO agent has been configured.
  • basic: Basic HTTP authentication.
  • digest: Digest HTTP authentication.
  • form: Form-based HTTP authentication.
  • negotiate: Negotiate authentication.
  • fsso: Fortinet Single Sign-On authentication. Note that this can only be set when an FSSO agent has been configured.
  • rsso: RADIUS Single Sign-On authentication. Note that this can only be set when an RSSO server has been enabled.
  • ssh-publickey: Public key based authentication.

negotiate-ntlm {enable | disable}

Note: This entry is only available when method is set to negotiate.

Enable or disable (by default) NTLM negotiation.

require-tfa {enable | disable}

Note: This entry is only available when method is set to form.

Enable or disable (by default) two-factor authentication.

user-database <name>

Note: This entry is only available when method is set to basic, digest, or form.

Configure the authentication server that contains user information; either local, RADIUS, TACACS+, or LDAP.