Fortinet black logo

CLI Reference

user group

user group

Use this command to add or edit user groups. User groups can include defined peer users.

config user group
    edit {name}
    # Configure user groups.
        set name {string}   Group name. size[35]
        set id {integer}   Group ID. range[0-4294967295]
        set group-type {firewall | fsso-service | rsso | guest}   Set the group to be for firewall authentication, FSSO, RSSO, or guest users.
                firewall      Firewall.
                fsso-service  Fortinet Single Sign-On Service.
                rsso          RADIUS based Single Sign-On Service.
                guest         Guest.
        set authtimeout {integer}   Authentication timeout in minutes for this user group. 0 to use the global user setting auth-timeout. range[0-43200]
        set auth-concurrent-override {enable | disable}   Enable/disable overriding the global number of concurrent authentication sessions for this user group.
        set auth-concurrent-value {integer}   Maximum number of concurrent authenticated connections per user (0 - 100). range[0-100]
        set http-digest-realm {string}   Realm attribute for MD5-digest authentication. size[35]
        set sso-attribute-value {string}   Name of the RADIUS user group that this local user group represents. size[511]
        config member
            edit {name}
            # Names of users, peers, LDAP severs, or RADIUS servers to add to the user group.
                set name {string}   Group member name. size[511] - datasource(s): user.peer.name,user.local.name,user.radius.name,user.tacacs+.name,user.ldap.name,user.adgrp.name,user.pop3.name
            next
        config match
            edit {id}
            # Group matches.
                set id {integer}   ID. range[0-4294967295]
                set server-name {string}   Name of remote auth server. size[35] - datasource(s): user.radius.name,user.ldap.name,user.tacacs+.name
                set group-name {string}   Name of matching group on remote authentication server. size[511]
            next
        set user-id {email | auto-generate | specify}   Guest user ID type.
                email          Email address.
                auto-generate  Automatically generate.
                specify        Specify.
        set password {auto-generate | specify | disable}   Guest user password type.
                auto-generate  Automatically generate.
                specify        Specify.
                disable        Disable.
        set user-name {disable | enable}   Enable/disable the guest user name entry.
        set sponsor {optional | mandatory | disabled}   Set the action for the sponsor guest user field.
                optional   Optional.
                mandatory  Mandatory.
                disabled   Disabled.
        set company {optional | mandatory | disabled}   Set the action for the company guest user field.
                optional   Optional.
                mandatory  Mandatory.
                disabled   Disabled.
        set email {disable | enable}   Enable/disable the guest user email address field.
        set mobile-phone {disable | enable}   Enable/disable the guest user mobile phone number field.
        set sms-server {fortiguard | custom}   Send SMS through FortiGuard or other external server.
                fortiguard  Send SMS by FortiGuard.
                custom      Send SMS by custom server.
        set sms-custom-server {string}   SMS server. size[35] - datasource(s): system.sms-server.name
        set expire-type {immediately | first-successful-login}   Determine when the expiration countdown begins.
                immediately             Immediately.
                first-successful-login  First successful login.
        set expire {integer}   Time in seconds before guest user accounts expire. (1 - 31536000 sec) range[1-31536000]
        set max-accounts {integer}   Maximum number of guest accounts that can be created for this group (0 means unlimited). range[0-1024]
        set multiple-guest-add {disable | enable}   Enable/disable addition of multiple guests.
        config guest
            edit {user-id}
            # Guest User.
                set user-id {string}   Guest ID. size[64]
                set name {string}   Guest name. size[64]
                set password {password_string}   Guest password. size[128]
                set mobile-phone {string}   Mobile phone. size[35]
                set sponsor {string}   Set the action for the sponsor guest user field. size[35]
                set company {string}   Set the action for the company guest user field. size[35]
                set email {string}   Email. size[64]
                set expiration {string}   Expire time.
                set comment {string}   Comment. size[255]
            next
    next
end

Additional information

The following section is for those options that require additional explanation.

auth-concurrent-override {enable | disable}

Note: This entry is only available when group-type is set to either firewall or guest. Enable or disable (by default) overriding the policy-auth-concurrent entry in the system global command.

auth-concurrent-value <limit>

Note: This entry is only available when auth-concurrent-override is set to enable. The number of concurrent logins permitted from the same user. Set the value between 1-100, or 0 (by default) for unlimited.

authtimeout <timeout>

Period of time in minutes before the authentication timeout for a user group is reached. Set the value between 1-43200 (or one minute to thirty days). The default is set to 0, which sets the timeout to use the global authentication value.

company {optional | mandatory | disable}

Note: This entry is only available when group-type is set to guest. Determines whether the guest's company name field on the web-based manager Guest Management form should be optional (by default), mandatory, or disabled.

config guest

Note: When group-type is set to guest, guest options will become available and can be set. This configuration method will also become available, however it is not configurable.

config match

Note: This entry is only available when group-type is set to firewall. A configuration method to specify the user group names on the authentication servers that are members of this FortiGate user group. Note that if no matches are specified then all users on the server can authenticate.

email {enable | disable}

Note: This entry is only available when group-type is set to guest. Enable (by default) or disable the email address field in the web-based manager Guest Management form.

expire-type {immediately | first-successful-login}

Note: This entry is only available when group-type is set to guest. Determines when the expiry time countdown begins: immediately (by default) or after the user's first successful login.

expire <seconds>

Note: This entry is only available when group-type is set to guest. The time in seconds the user account has until it expires. Set the value between 1-31536000 (or one second to 365 days). The default is set to 14400.

group-name <name>

The name of the matching group on the remote authentication server.

group-type {firewall | fsso-service | rsso | guest}

Type of group, which determines the type of user.

  • firewall: Those users defined in the user local, user ldap, or user radius commands
  • fsso-service: Fortinet Single Sign-On (FSSO) users
  • rsso: RADIUS Single Sign-On (RSSO) users
  • guest: Guest users

http-digest-realm <attribute>

Note: This entry is not available when group-type is set to rsso. The realm attribute for MD5-digest authentication.

max-accounts <limit>

Note: This entry is only available when group-type is set to guest. The maximum number of accounts permitted. The maximum value that can be set depends on the platform. The default is set to 0, or unlimited.

member <member>

Note: This entry is only available when group-type is set to either firewall or fsso-service. The names of users, peers, LDAP severs, or RADIUS servers to add to the user group, each separated by a space. Note that, to add or remove names from the group, you must re-enter the whole list with the required additions or deletions. . The names of users, peers, LDAP severs, or RADIUS servers to add to the user group, each separated by a space. Note that, to add or remove names from the group, you must re-enter the whole list with the required additions or deletions.

mobile-phone {enable | disable}

Note: This entry is only available when group-type is set to guest. Enable or disable (by default) the mobile phone number field in the web-based manager Guest Management form.

multiple-guest-add {enable | disable}

Note: This entry is only available when group-type is set to guest. Enable or disable (by default) the multiple guest add option in the web-based manager User Group form.

password {auto-generate | specify | disable}

Note: This entry is only available when group-type is set to guest. The source of the guest password.

  • auto-generate: Create a random user password (by default).
  • specify: Enter a user password string.
  • disable: Disables guest user's need for a password.

server-name <name>

The name of the remote authentication server.

sponsor {optional | mandatory | disable}

Note: This entry is only available when group-type is set to guest. Determines whether the sponsor field on the web-based manager Guest Management form should be optional (by default), mandatory, or disabled.

sso-attribute-value <attribute>

Note: This entry is only available when group-type is set to rsso. The name of the RADIUS user group that this local user group represents.

user-id {email | auto-generate | specify}

Note: This entry is only available when group-type is set to guest. The source of the guest user ID.

  • email: Use the guest's email address (by default).
  • auto-generate: Create a random user ID.
  • specify: Enter a user ID string.

user-name {enable | disable}

Note: This entry is only available when group-type is set to guest. Enable or disable (by default) the guest user name entry.

user group

Use this command to add or edit user groups. User groups can include defined peer users.

config user group
    edit {name}
    # Configure user groups.
        set name {string}   Group name. size[35]
        set id {integer}   Group ID. range[0-4294967295]
        set group-type {firewall | fsso-service | rsso | guest}   Set the group to be for firewall authentication, FSSO, RSSO, or guest users.
                firewall      Firewall.
                fsso-service  Fortinet Single Sign-On Service.
                rsso          RADIUS based Single Sign-On Service.
                guest         Guest.
        set authtimeout {integer}   Authentication timeout in minutes for this user group. 0 to use the global user setting auth-timeout. range[0-43200]
        set auth-concurrent-override {enable | disable}   Enable/disable overriding the global number of concurrent authentication sessions for this user group.
        set auth-concurrent-value {integer}   Maximum number of concurrent authenticated connections per user (0 - 100). range[0-100]
        set http-digest-realm {string}   Realm attribute for MD5-digest authentication. size[35]
        set sso-attribute-value {string}   Name of the RADIUS user group that this local user group represents. size[511]
        config member
            edit {name}
            # Names of users, peers, LDAP severs, or RADIUS servers to add to the user group.
                set name {string}   Group member name. size[511] - datasource(s): user.peer.name,user.local.name,user.radius.name,user.tacacs+.name,user.ldap.name,user.adgrp.name,user.pop3.name
            next
        config match
            edit {id}
            # Group matches.
                set id {integer}   ID. range[0-4294967295]
                set server-name {string}   Name of remote auth server. size[35] - datasource(s): user.radius.name,user.ldap.name,user.tacacs+.name
                set group-name {string}   Name of matching group on remote authentication server. size[511]
            next
        set user-id {email | auto-generate | specify}   Guest user ID type.
                email          Email address.
                auto-generate  Automatically generate.
                specify        Specify.
        set password {auto-generate | specify | disable}   Guest user password type.
                auto-generate  Automatically generate.
                specify        Specify.
                disable        Disable.
        set user-name {disable | enable}   Enable/disable the guest user name entry.
        set sponsor {optional | mandatory | disabled}   Set the action for the sponsor guest user field.
                optional   Optional.
                mandatory  Mandatory.
                disabled   Disabled.
        set company {optional | mandatory | disabled}   Set the action for the company guest user field.
                optional   Optional.
                mandatory  Mandatory.
                disabled   Disabled.
        set email {disable | enable}   Enable/disable the guest user email address field.
        set mobile-phone {disable | enable}   Enable/disable the guest user mobile phone number field.
        set sms-server {fortiguard | custom}   Send SMS through FortiGuard or other external server.
                fortiguard  Send SMS by FortiGuard.
                custom      Send SMS by custom server.
        set sms-custom-server {string}   SMS server. size[35] - datasource(s): system.sms-server.name
        set expire-type {immediately | first-successful-login}   Determine when the expiration countdown begins.
                immediately             Immediately.
                first-successful-login  First successful login.
        set expire {integer}   Time in seconds before guest user accounts expire. (1 - 31536000 sec) range[1-31536000]
        set max-accounts {integer}   Maximum number of guest accounts that can be created for this group (0 means unlimited). range[0-1024]
        set multiple-guest-add {disable | enable}   Enable/disable addition of multiple guests.
        config guest
            edit {user-id}
            # Guest User.
                set user-id {string}   Guest ID. size[64]
                set name {string}   Guest name. size[64]
                set password {password_string}   Guest password. size[128]
                set mobile-phone {string}   Mobile phone. size[35]
                set sponsor {string}   Set the action for the sponsor guest user field. size[35]
                set company {string}   Set the action for the company guest user field. size[35]
                set email {string}   Email. size[64]
                set expiration {string}   Expire time.
                set comment {string}   Comment. size[255]
            next
    next
end

Additional information

The following section is for those options that require additional explanation.

auth-concurrent-override {enable | disable}

Note: This entry is only available when group-type is set to either firewall or guest. Enable or disable (by default) overriding the policy-auth-concurrent entry in the system global command.

auth-concurrent-value <limit>

Note: This entry is only available when auth-concurrent-override is set to enable. The number of concurrent logins permitted from the same user. Set the value between 1-100, or 0 (by default) for unlimited.

authtimeout <timeout>

Period of time in minutes before the authentication timeout for a user group is reached. Set the value between 1-43200 (or one minute to thirty days). The default is set to 0, which sets the timeout to use the global authentication value.

company {optional | mandatory | disable}

Note: This entry is only available when group-type is set to guest. Determines whether the guest's company name field on the web-based manager Guest Management form should be optional (by default), mandatory, or disabled.

config guest

Note: When group-type is set to guest, guest options will become available and can be set. This configuration method will also become available, however it is not configurable.

config match

Note: This entry is only available when group-type is set to firewall. A configuration method to specify the user group names on the authentication servers that are members of this FortiGate user group. Note that if no matches are specified then all users on the server can authenticate.

email {enable | disable}

Note: This entry is only available when group-type is set to guest. Enable (by default) or disable the email address field in the web-based manager Guest Management form.

expire-type {immediately | first-successful-login}

Note: This entry is only available when group-type is set to guest. Determines when the expiry time countdown begins: immediately (by default) or after the user's first successful login.

expire <seconds>

Note: This entry is only available when group-type is set to guest. The time in seconds the user account has until it expires. Set the value between 1-31536000 (or one second to 365 days). The default is set to 14400.

group-name <name>

The name of the matching group on the remote authentication server.

group-type {firewall | fsso-service | rsso | guest}

Type of group, which determines the type of user.

  • firewall: Those users defined in the user local, user ldap, or user radius commands
  • fsso-service: Fortinet Single Sign-On (FSSO) users
  • rsso: RADIUS Single Sign-On (RSSO) users
  • guest: Guest users

http-digest-realm <attribute>

Note: This entry is not available when group-type is set to rsso. The realm attribute for MD5-digest authentication.

max-accounts <limit>

Note: This entry is only available when group-type is set to guest. The maximum number of accounts permitted. The maximum value that can be set depends on the platform. The default is set to 0, or unlimited.

member <member>

Note: This entry is only available when group-type is set to either firewall or fsso-service. The names of users, peers, LDAP severs, or RADIUS servers to add to the user group, each separated by a space. Note that, to add or remove names from the group, you must re-enter the whole list with the required additions or deletions. . The names of users, peers, LDAP severs, or RADIUS servers to add to the user group, each separated by a space. Note that, to add or remove names from the group, you must re-enter the whole list with the required additions or deletions.

mobile-phone {enable | disable}

Note: This entry is only available when group-type is set to guest. Enable or disable (by default) the mobile phone number field in the web-based manager Guest Management form.

multiple-guest-add {enable | disable}

Note: This entry is only available when group-type is set to guest. Enable or disable (by default) the multiple guest add option in the web-based manager User Group form.

password {auto-generate | specify | disable}

Note: This entry is only available when group-type is set to guest. The source of the guest password.

  • auto-generate: Create a random user password (by default).
  • specify: Enter a user password string.
  • disable: Disables guest user's need for a password.

server-name <name>

The name of the remote authentication server.

sponsor {optional | mandatory | disable}

Note: This entry is only available when group-type is set to guest. Determines whether the sponsor field on the web-based manager Guest Management form should be optional (by default), mandatory, or disabled.

sso-attribute-value <attribute>

Note: This entry is only available when group-type is set to rsso. The name of the RADIUS user group that this local user group represents.

user-id {email | auto-generate | specify}

Note: This entry is only available when group-type is set to guest. The source of the guest user ID.

  • email: Use the guest's email address (by default).
  • auto-generate: Create a random user ID.
  • specify: Enter a user ID string.

user-name {enable | disable}

Note: This entry is only available when group-type is set to guest. Enable or disable (by default) the guest user name entry.