authentication scheme
Configure authentication schemes.
History
The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.1.
| Command | Description |
|---|---|
|
set kerberos-keytab <keytab> |
Specify Kerberos keytab to use, in order to avoid authorization failures when multiple keytabs have been created for multiple domains/servers. Note that |
The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.
| Command | Description |
|---|---|
|
set domain-controller <dc-setting> |
Add domain controller setting in the authentication scheme. Note that this entry is only available when |
|
set method {ssh-publickey | ...} set user-database <server-name> set ssh-ca <ca-cert-name> |
New public key based SSH authentication scheme. The user name is embedded in Note that both |
config authentication scheme
edit {name}
# Configure Authentication Schemes.
set name {string} Authentication scheme name. size[35]
set method {option} Authentication methods (default = basic).
ntlm NTLM authentication.
basic Basic HTTP authentication.
digest Digest HTTP authentication.
form Form-based HTTP authentication.
negotiate Negotiate authentication.
fsso Fortinet Single Sign-On (FSSO) authentication.
rsso RADIUS Single Sign-On (RSSO) authentication.
ssh-publickey Public key based SSH authentication.
set negotiate-ntlm {enable | disable} Enable/disable negotiate authentication for NTLM (default = disable).
set kerberos-keytab {string} Kerberos keytab setting. size[35] - datasource(s): user.krb-keytab.name
set domain-controller {string} Domain controller setting. size[35] - datasource(s): user.domain-controller.name
set fsso-agent-for-ntlm {string} FSSO agent to use for NTLM authentication. size[35] - datasource(s): user.fsso.name
set require-tfa {enable | disable} Enable/disable two-factor authentication (default = disable).
set fsso-guest {enable | disable} Enable/disable user fsso-guest authentication (default = disable).
config user-database
edit {name}
# Authentication server to contain user information; "local" (default) or "123" (for LDAP).
set name {string} Authentication server name. size[64] - datasource(s): system.datasource.name,user.radius.name,user.tacacs+.name,user.ldap.name,user.group.name
next
set ssh-ca {string} SSH CA name. size[35] - datasource(s): firewall.ssh.local-ca.name
next
end
Additional information
The following section is for those options that require additional explanation.
fsso-guest {enable | disable}
Note: This entry is only available when method is set to ntlm, basic, digest, or negotiate.
Enable or disable (by default) user fsso-guest.
method {ntlm | basic | digest | form | negotiate | fsso | rsso | ssh-publickey}
Configure the authentication method for this scheme.
- ntlm: NTLM authentication. Note that this can only be set when an FSSO agent has been configured.
- basic: Basic HTTP authentication.
- digest: Digest HTTP authentication.
- form: Form-based HTTP authentication.
- negotiate: Negotiate authentication.
- fsso: Fortinet Single Sign-On authentication. Note that this can only be set when an FSSO agent has been configured.
- rsso: RADIUS Single Sign-On authentication. Note that this can only be set when an RSSO server has been enabled.
- ssh-publickey: Public key based authentication.
negotiate-ntlm {enable | disable}
Note: This entry is only available when method is set to negotiate.
Enable or disable (by default) NTLM negotiation.
require-tfa {enable | disable}
Note: This entry is only available when method is set to form.
Enable or disable (by default) two-factor authentication.
user-database <name>
Note: This entry is only available when method is set to basic, digest, or form.
Configure the authentication server that contains user information; either local, RADIUS, TACACS+, or LDAP.