Fortinet Document Library

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

authentication scheme

Configure authentication schemes.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.1.

Command Description

set kerberos-keytab <keytab>

Specify Kerberos keytab to use, in order to avoid authorization failures when multiple keytabs have been created for multiple domains/servers.

Note that kerberos-keytab is only available when method is set to negotiate.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set domain-controller <dc-setting>

Add domain controller setting in the authentication scheme.

Note that this entry is only available when method is set to ntlm and/or negotiate-ntlm is set to enable.

set method {ssh-publickey | ...}

set user-database <server-name>

set ssh-ca <ca-cert-name>

New public key based SSH authentication scheme.

The user name is embedded in ssh-publickey. User group information will be retrieved if the public key is validated by the CA.

Note that both user-database and ssh-ca are only available when method is set to ssh-publickey.

config authentication scheme
    edit {name}
    # Configure Authentication Schemes.
        set name {string}   Authentication scheme name. size[35]
        set method {option}   Authentication methods (default = basic).
                ntlm           NTLM authentication.
                basic          Basic HTTP authentication.
                digest         Digest HTTP authentication.
                form           Form-based HTTP authentication.
                negotiate      Negotiate authentication.
                fsso           Fortinet Single Sign-On (FSSO) authentication.
                rsso           RADIUS Single Sign-On (RSSO) authentication.
                ssh-publickey  Public key based SSH authentication.
        set negotiate-ntlm {enable | disable}   Enable/disable negotiate authentication for NTLM (default = disable).
        set kerberos-keytab {string}   Kerberos keytab setting. size[35] - datasource(s): user.krb-keytab.name
        set domain-controller {string}   Domain controller setting. size[35] - datasource(s): user.domain-controller.name
        set fsso-agent-for-ntlm {string}   FSSO agent to use for NTLM authentication. size[35] - datasource(s): user.fsso.name
        set require-tfa {enable | disable}   Enable/disable two-factor authentication (default = disable).
        set fsso-guest {enable | disable}   Enable/disable user fsso-guest authentication (default = disable).
        config user-database
            edit {name}
            # Authentication server to contain user information; "local" (default) or "123" (for LDAP).
                set name {string}   Authentication server name. size[64] - datasource(s): system.datasource.name,user.radius.name,user.tacacs+.name,user.ldap.name,user.group.name
            next
        set ssh-ca {string}   SSH CA name. size[35] - datasource(s): firewall.ssh.local-ca.name
    next
end

Additional information

The following section is for those options that require additional explanation.

fsso-guest {enable | disable}

Note: This entry is only available when method is set to ntlm, basic, digest, or negotiate.

Enable or disable (by default) user fsso-guest.

method {ntlm | basic | digest | form | negotiate | fsso | rsso | ssh-publickey}

Configure the authentication method for this scheme.

  • ntlm: NTLM authentication. Note that this can only be set when an FSSO agent has been configured.
  • basic: Basic HTTP authentication.
  • digest: Digest HTTP authentication.
  • form: Form-based HTTP authentication.
  • negotiate: Negotiate authentication.
  • fsso: Fortinet Single Sign-On authentication. Note that this can only be set when an FSSO agent has been configured.
  • rsso: RADIUS Single Sign-On authentication. Note that this can only be set when an RSSO server has been enabled.
  • ssh-publickey: Public key based authentication.

negotiate-ntlm {enable | disable}

Note: This entry is only available when method is set to negotiate.

Enable or disable (by default) NTLM negotiation.

require-tfa {enable | disable}

Note: This entry is only available when method is set to form.

Enable or disable (by default) two-factor authentication.

user-database <name>

Note: This entry is only available when method is set to basic, digest, or form.

Configure the authentication server that contains user information; either local, RADIUS, TACACS+, or LDAP.

authentication scheme

Configure authentication schemes.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.1.

Command Description

set kerberos-keytab <keytab>

Specify Kerberos keytab to use, in order to avoid authorization failures when multiple keytabs have been created for multiple domains/servers.

Note that kerberos-keytab is only available when method is set to negotiate.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set domain-controller <dc-setting>

Add domain controller setting in the authentication scheme.

Note that this entry is only available when method is set to ntlm and/or negotiate-ntlm is set to enable.

set method {ssh-publickey | ...}

set user-database <server-name>

set ssh-ca <ca-cert-name>

New public key based SSH authentication scheme.

The user name is embedded in ssh-publickey. User group information will be retrieved if the public key is validated by the CA.

Note that both user-database and ssh-ca are only available when method is set to ssh-publickey.

config authentication scheme
    edit {name}
    # Configure Authentication Schemes.
        set name {string}   Authentication scheme name. size[35]
        set method {option}   Authentication methods (default = basic).
                ntlm           NTLM authentication.
                basic          Basic HTTP authentication.
                digest         Digest HTTP authentication.
                form           Form-based HTTP authentication.
                negotiate      Negotiate authentication.
                fsso           Fortinet Single Sign-On (FSSO) authentication.
                rsso           RADIUS Single Sign-On (RSSO) authentication.
                ssh-publickey  Public key based SSH authentication.
        set negotiate-ntlm {enable | disable}   Enable/disable negotiate authentication for NTLM (default = disable).
        set kerberos-keytab {string}   Kerberos keytab setting. size[35] - datasource(s): user.krb-keytab.name
        set domain-controller {string}   Domain controller setting. size[35] - datasource(s): user.domain-controller.name
        set fsso-agent-for-ntlm {string}   FSSO agent to use for NTLM authentication. size[35] - datasource(s): user.fsso.name
        set require-tfa {enable | disable}   Enable/disable two-factor authentication (default = disable).
        set fsso-guest {enable | disable}   Enable/disable user fsso-guest authentication (default = disable).
        config user-database
            edit {name}
            # Authentication server to contain user information; "local" (default) or "123" (for LDAP).
                set name {string}   Authentication server name. size[64] - datasource(s): system.datasource.name,user.radius.name,user.tacacs+.name,user.ldap.name,user.group.name
            next
        set ssh-ca {string}   SSH CA name. size[35] - datasource(s): firewall.ssh.local-ca.name
    next
end

Additional information

The following section is for those options that require additional explanation.

fsso-guest {enable | disable}

Note: This entry is only available when method is set to ntlm, basic, digest, or negotiate.

Enable or disable (by default) user fsso-guest.

method {ntlm | basic | digest | form | negotiate | fsso | rsso | ssh-publickey}

Configure the authentication method for this scheme.

  • ntlm: NTLM authentication. Note that this can only be set when an FSSO agent has been configured.
  • basic: Basic HTTP authentication.
  • digest: Digest HTTP authentication.
  • form: Form-based HTTP authentication.
  • negotiate: Negotiate authentication.
  • fsso: Fortinet Single Sign-On authentication. Note that this can only be set when an FSSO agent has been configured.
  • rsso: RADIUS Single Sign-On authentication. Note that this can only be set when an RSSO server has been enabled.
  • ssh-publickey: Public key based authentication.

negotiate-ntlm {enable | disable}

Note: This entry is only available when method is set to negotiate.

Enable or disable (by default) NTLM negotiation.

require-tfa {enable | disable}

Note: This entry is only available when method is set to form.

Enable or disable (by default) two-factor authentication.

user-database <name>

Note: This entry is only available when method is set to basic, digest, or form.

Configure the authentication server that contains user information; either local, RADIUS, TACACS+, or LDAP.