Fortinet black logo

CLI Reference

user local

user local

Use this command to add or edit local users and their authentication options, such as two-factor authentication.

Note: To add authentication by RADIUS, TACACS+, or LDAP server, you must first add servers using the user radius, user tacacs+, or user ldap commands respectively.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.15.

Command Description

set username-sensitivity {enable | disable}

Enable/disable case and accent sensitivity when performing username matching (accents are stripped and case is ignored when disabled)

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.1.

Command Description

set ppk-identity <string>

Specify the Post-quantum Preshared Key (PKK) Identity for successful validation of PPK credentials in dynamic VPNs with peertype dialup.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set ppk-secret <ascii-string-or-hex>

Post-quantum Preshared Key (PPK) options.

Even if a quantum computer can break the Diffie-Hellman calculation to derive the DH-generated secret key, the inclusion of the PPK in the key generation algorithm means that the attacker is still unable to derive the keys used to authenticate the IKE SA negotiation (and so cannot impersonate either party in the negotiation), nor the keys used in negotiating an IPsec SA (or IKE SA).

Note that this option is only available when type is set to password.

config user local
    edit {name}
    # Configure local users.
        set name {string}   User name. size[64]
        set id {integer}   User ID. range[0-4294967295]
        set status {enable | disable}   Enable/disable allowing the local user to authenticate with the FortiGate unit.
        set type {password | radius | tacacs+ | ldap}   Authentication method.
                password  Password authentication.
                radius    RADIUS server authentication.
                tacacs+   TACACS+ server authentication.
                ldap      LDAP server authentication.
        set passwd {password_string}   User's password. size[128]
        set ldap-server {string}   Name of LDAP server with which the user must authenticate. size[35] - datasource(s): user.ldap.name
        set radius-server {string}   Name of RADIUS server with which the user must authenticate. size[35] - datasource(s): user.radius.name
        set tacacs+-server {string}   Name of TACACS+ server with which the user must authenticate. size[35] - datasource(s): user.tacacs+.name
        set two-factor {disable | fortitoken | email | sms}   Enable/disable two-factor authentication.
                disable     disable
                fortitoken  FortiToken
                email       Email authentication code.
                sms         SMS authentication code.
        set fortitoken {string}   Two-factor recipient's FortiToken serial number. size[16] - datasource(s): user.fortitoken.serial-number
        set email-to {string}   Two-factor recipient's email address. size[63]
        set sms-server {fortiguard | custom}   Send SMS through FortiGuard or other external server.
                fortiguard  Send SMS by FortiGuard.
                custom      Send SMS by custom server.
        set sms-custom-server {string}   Two-factor recipient's SMS server. size[35] - datasource(s): system.sms-server.name
        set sms-phone {string}   Two-factor recipient's mobile phone number. size[15]
        set passwd-policy {string}   Password policy to apply to this user, as defined in config user password-policy. size[35] - datasource(s): user.password-policy.name
        set passwd-time {string}   Time of the last password update.
        set authtimeout {integer}   Time in minutes before the authentication timeout for a user is reached. range[0-1440]
        set workstation {string}   Name of the remote user workstation, if you want to limit the user to authenticate only from a particular workstation. size[35]
        set auth-concurrent-override {enable | disable}   Enable/disable overriding the policy-auth-concurrent under config system global.
        set auth-concurrent-value {integer}   Maximum number of concurrent logins permitted from the same user. range[0-100]
        set ppk-secret {password_string}   IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
        set ppk-identity {string}   IKEv2 Postquantum Preshared Key Identity. size[35]
        set username-sensitivity {disable | enable}   Enable/disable case and accent sensitivity when performing username matching (accents are stripped and case is ignored when disabled).
    next
end

Additional information

The following section is for those options that require additional explanation.

auth-concurrent-override {enable | disable}

Enable or disable (by default) overriding the policy-auth-concurrent entry in the system global command.

auth-concurrent-value <limit>

Note: This entry is only available when auth-concurrent-override is set to enable. The number of concurrent logins permitted from the same user. Set the value between 1-100, or 0 (by default) for unlimited.

authtimeout <timeout>

Period of time in minutes before the authentication timeout for a user is reached. Set the value between 1-1440 (or one minute to one day). The default is set to 0, which sets the timeout to use the global authentication value.

email-to <address>

Two-factor recipient's email address.

fortitoken <token>

Note: This entry is only available when two-factor is set to fortitoken. Two-factor recipient's FortiToken serial number. The FortiToken must have already been added to the FortiGate unit to be set here.

ldap-server <server>

Note: This entry is only available when type is set to ldap. Enter the name of the LDAP server with which the user must authenticate. Enter the name of the LDAP server with which the user must authenticate.

passwd <password>

Note: This entry is only available when type is set to password. The user's password used to authenticate themselves. It is recommended to enter an alphanumeric password of at least six characters in length.

passwd-policy [policy]

Note: This entry is only available when type is set to password. Optionally, select a password policy to apply to this user. Use the user password-policy command to create password policies.

passwd-time

Note: This entry is only available when type is set to password. Displays the time of the last password update in the following format: <yyyy-mm-dd hh:mm:ss>.

radius-server <server>

Note: This entry is only available when type is set to radius. Enter the name of the RADIUS server with which the user must authenticate.

sms-custom-server <server>

Note: This entry is only available when sms-server is set to custom. Name of the custom server to use for SMS-based two-factor authentication. Note that the server must have already been defined using the system sms-server command.

sms-phone <number>

User's phone number to be used for SMS-based two-factor authentication.

sms-server {fortiguard | custom}

Send SMS through FortiGuard or other external server.

  • fortiguard: Send SMS by FortiGuard (by default).
  • custom: Send SMS by custom server. Once set, use the sms-custom-server entry below to set the external server (see entry below).

status {enable | disable}

Enable (by default) or disable allowing the local user to authenticate with the FortiGate unit.

tacacs+-server <server>

Note: This entry is only available when type is set to tacacs+. Enter the name of the TACACS+ server with which the user must authenticate.

two-factor {disable | fortitoken | email | sms}

Apply two-factor authentication through either FortiToken, email, or SMS, or disable it (by default). If set to fortitoken, use the fortitoken entry to assign a FortiToken to the user (see entry below).

type {password | radius | tacacs+ | ldap}

Method in which the user's password is verified.

  • password: Once set, enter a password in the passwd entry (see entry below). The FortiGate unit will verify the password against this value.
  • radius: Once set, enter the server name in the radius-server entry (see entry below). The specified RADIUS server will verify the password.
  • tacacs+: Once set, enter the server name in the tacacs+-server entry (see entry below). The specified TACACS+ server will verify the password.
  • ldap: Once set, enter the server name in the ldap-server entry (see entry below). The specified LDAP server will verify the password.

workstation <name>

Note: This entry is only available when type is set to ldap. Name of the remote user workstation. Set this value if you want to permit the user to authenticate only from a particular workstation.

user local

Use this command to add or edit local users and their authentication options, such as two-factor authentication.

Note: To add authentication by RADIUS, TACACS+, or LDAP server, you must first add servers using the user radius, user tacacs+, or user ldap commands respectively.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.15.

Command Description

set username-sensitivity {enable | disable}

Enable/disable case and accent sensitivity when performing username matching (accents are stripped and case is ignored when disabled)

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.1.

Command Description

set ppk-identity <string>

Specify the Post-quantum Preshared Key (PKK) Identity for successful validation of PPK credentials in dynamic VPNs with peertype dialup.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set ppk-secret <ascii-string-or-hex>

Post-quantum Preshared Key (PPK) options.

Even if a quantum computer can break the Diffie-Hellman calculation to derive the DH-generated secret key, the inclusion of the PPK in the key generation algorithm means that the attacker is still unable to derive the keys used to authenticate the IKE SA negotiation (and so cannot impersonate either party in the negotiation), nor the keys used in negotiating an IPsec SA (or IKE SA).

Note that this option is only available when type is set to password.

config user local
    edit {name}
    # Configure local users.
        set name {string}   User name. size[64]
        set id {integer}   User ID. range[0-4294967295]
        set status {enable | disable}   Enable/disable allowing the local user to authenticate with the FortiGate unit.
        set type {password | radius | tacacs+ | ldap}   Authentication method.
                password  Password authentication.
                radius    RADIUS server authentication.
                tacacs+   TACACS+ server authentication.
                ldap      LDAP server authentication.
        set passwd {password_string}   User's password. size[128]
        set ldap-server {string}   Name of LDAP server with which the user must authenticate. size[35] - datasource(s): user.ldap.name
        set radius-server {string}   Name of RADIUS server with which the user must authenticate. size[35] - datasource(s): user.radius.name
        set tacacs+-server {string}   Name of TACACS+ server with which the user must authenticate. size[35] - datasource(s): user.tacacs+.name
        set two-factor {disable | fortitoken | email | sms}   Enable/disable two-factor authentication.
                disable     disable
                fortitoken  FortiToken
                email       Email authentication code.
                sms         SMS authentication code.
        set fortitoken {string}   Two-factor recipient's FortiToken serial number. size[16] - datasource(s): user.fortitoken.serial-number
        set email-to {string}   Two-factor recipient's email address. size[63]
        set sms-server {fortiguard | custom}   Send SMS through FortiGuard or other external server.
                fortiguard  Send SMS by FortiGuard.
                custom      Send SMS by custom server.
        set sms-custom-server {string}   Two-factor recipient's SMS server. size[35] - datasource(s): system.sms-server.name
        set sms-phone {string}   Two-factor recipient's mobile phone number. size[15]
        set passwd-policy {string}   Password policy to apply to this user, as defined in config user password-policy. size[35] - datasource(s): user.password-policy.name
        set passwd-time {string}   Time of the last password update.
        set authtimeout {integer}   Time in minutes before the authentication timeout for a user is reached. range[0-1440]
        set workstation {string}   Name of the remote user workstation, if you want to limit the user to authenticate only from a particular workstation. size[35]
        set auth-concurrent-override {enable | disable}   Enable/disable overriding the policy-auth-concurrent under config system global.
        set auth-concurrent-value {integer}   Maximum number of concurrent logins permitted from the same user. range[0-100]
        set ppk-secret {password_string}   IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
        set ppk-identity {string}   IKEv2 Postquantum Preshared Key Identity. size[35]
        set username-sensitivity {disable | enable}   Enable/disable case and accent sensitivity when performing username matching (accents are stripped and case is ignored when disabled).
    next
end

Additional information

The following section is for those options that require additional explanation.

auth-concurrent-override {enable | disable}

Enable or disable (by default) overriding the policy-auth-concurrent entry in the system global command.

auth-concurrent-value <limit>

Note: This entry is only available when auth-concurrent-override is set to enable. The number of concurrent logins permitted from the same user. Set the value between 1-100, or 0 (by default) for unlimited.

authtimeout <timeout>

Period of time in minutes before the authentication timeout for a user is reached. Set the value between 1-1440 (or one minute to one day). The default is set to 0, which sets the timeout to use the global authentication value.

email-to <address>

Two-factor recipient's email address.

fortitoken <token>

Note: This entry is only available when two-factor is set to fortitoken. Two-factor recipient's FortiToken serial number. The FortiToken must have already been added to the FortiGate unit to be set here.

ldap-server <server>

Note: This entry is only available when type is set to ldap. Enter the name of the LDAP server with which the user must authenticate. Enter the name of the LDAP server with which the user must authenticate.

passwd <password>

Note: This entry is only available when type is set to password. The user's password used to authenticate themselves. It is recommended to enter an alphanumeric password of at least six characters in length.

passwd-policy [policy]

Note: This entry is only available when type is set to password. Optionally, select a password policy to apply to this user. Use the user password-policy command to create password policies.

passwd-time

Note: This entry is only available when type is set to password. Displays the time of the last password update in the following format: <yyyy-mm-dd hh:mm:ss>.

radius-server <server>

Note: This entry is only available when type is set to radius. Enter the name of the RADIUS server with which the user must authenticate.

sms-custom-server <server>

Note: This entry is only available when sms-server is set to custom. Name of the custom server to use for SMS-based two-factor authentication. Note that the server must have already been defined using the system sms-server command.

sms-phone <number>

User's phone number to be used for SMS-based two-factor authentication.

sms-server {fortiguard | custom}

Send SMS through FortiGuard or other external server.

  • fortiguard: Send SMS by FortiGuard (by default).
  • custom: Send SMS by custom server. Once set, use the sms-custom-server entry below to set the external server (see entry below).

status {enable | disable}

Enable (by default) or disable allowing the local user to authenticate with the FortiGate unit.

tacacs+-server <server>

Note: This entry is only available when type is set to tacacs+. Enter the name of the TACACS+ server with which the user must authenticate.

two-factor {disable | fortitoken | email | sms}

Apply two-factor authentication through either FortiToken, email, or SMS, or disable it (by default). If set to fortitoken, use the fortitoken entry to assign a FortiToken to the user (see entry below).

type {password | radius | tacacs+ | ldap}

Method in which the user's password is verified.

  • password: Once set, enter a password in the passwd entry (see entry below). The FortiGate unit will verify the password against this value.
  • radius: Once set, enter the server name in the radius-server entry (see entry below). The specified RADIUS server will verify the password.
  • tacacs+: Once set, enter the server name in the tacacs+-server entry (see entry below). The specified TACACS+ server will verify the password.
  • ldap: Once set, enter the server name in the ldap-server entry (see entry below). The specified LDAP server will verify the password.

workstation <name>

Note: This entry is only available when type is set to ldap. Name of the remote user workstation. Set this value if you want to permit the user to authenticate only from a particular workstation.