config user to configure:
- external authentication servers including Windows Active Directory or other Directory Service servers
- user accounts and user groups for firewall policy authentication, SSL VPN authentication, administrator authentication and some types of VPN authentication
- device detection
- peers/peer groups for IPSec VPN and PKI user authentication.
Configuring users for authentication
This command covers two types of user configuration:
• users authenticated by password
• users, sites or computers (peers) authenticated by certificate
Configuring users for password authentication
You need to set up authentication in the following order:
- If external authentication is needed, configure the required servers.
- Configure local user identities.
For each user, you can choose whether the FortiGate unit or an external authentication server verifies the password.
- See user local.
- Create user groups.
Add local users to each user group as appropriate. You can also add an authentication server to a user group. In this case, all users in the server’s database can authenticate to the FortiGate unit.
Configuring peers for certificate authentication
If your FortiGate unit will host IPSec VPNs that authenticate clients using certificates, you need to prepare for certificate authentication as follows:
- Import the CA certificates for clients who authenticate with a FortiGate unit VPN using certificates.
- See vpn certificate ca.
- Enter the certificate information for each VPN client (peer).
- See user peer.
- Create peer groups, if you have VPNs that authenticate by peer group. Assign the appropriate peers to each peer group.
- See user peergrp.
This section includes syntax for the following commands:
- user adgrp
- user device
- user device-access-list
- user device-category
- user device-group
- user domain-controller
- user fortitoken
- user fsso
- user fsso-polling
- user group
- user krb-keytab
- user ldap
- user local
- user password-policy
- user peer
- user peergrp
- user pop3
- user quarantine
- user radius
- user security-exempt-list
- user setting
- user tacacs+