user group
Use this command to add or edit user groups. User groups can include defined peer users.
config user group edit {name} # Configure user groups. set name {string} Group name. size[35] set id {integer} Group ID. range[0-4294967295] set group-type {firewall | fsso-service | rsso | guest} Set the group to be for firewall authentication, FSSO, RSSO, or guest users. firewall Firewall. fsso-service Fortinet Single Sign-On Service. rsso RADIUS based Single Sign-On Service. guest Guest. set authtimeout {integer} Authentication timeout in minutes for this user group. 0 to use the global user setting auth-timeout. range[0-43200] set auth-concurrent-override {enable | disable} Enable/disable overriding the global number of concurrent authentication sessions for this user group. set auth-concurrent-value {integer} Maximum number of concurrent authenticated connections per user (0 - 100). range[0-100] set http-digest-realm {string} Realm attribute for MD5-digest authentication. size[35] set sso-attribute-value {string} Name of the RADIUS user group that this local user group represents. size[511] config member edit {name} # Names of users, peers, LDAP severs, or RADIUS servers to add to the user group. set name {string} Group member name. size[511] - datasource(s): user.peer.name,user.local.name,user.radius.name,user.tacacs+.name,user.ldap.name,user.adgrp.name,user.pop3.name next config match edit {id} # Group matches. set id {integer} ID. range[0-4294967295] set server-name {string} Name of remote auth server. size[35] - datasource(s): user.radius.name,user.ldap.name,user.tacacs+.name set group-name {string} Name of matching group on remote authentication server. size[511] next set user-id {email | auto-generate | specify} Guest user ID type. email Email address. auto-generate Automatically generate. specify Specify. set password {auto-generate | specify | disable} Guest user password type. auto-generate Automatically generate. specify Specify. disable Disable. set user-name {disable | enable} Enable/disable the guest user name entry. set sponsor {optional | mandatory | disabled} Set the action for the sponsor guest user field. optional Optional. mandatory Mandatory. disabled Disabled. set company {optional | mandatory | disabled} Set the action for the company guest user field. optional Optional. mandatory Mandatory. disabled Disabled. set email {disable | enable} Enable/disable the guest user email address field. set mobile-phone {disable | enable} Enable/disable the guest user mobile phone number field. set sms-server {fortiguard | custom} Send SMS through FortiGuard or other external server. fortiguard Send SMS by FortiGuard. custom Send SMS by custom server. set sms-custom-server {string} SMS server. size[35] - datasource(s): system.sms-server.name set expire-type {immediately | first-successful-login} Determine when the expiration countdown begins. immediately Immediately. first-successful-login First successful login. set expire {integer} Time in seconds before guest user accounts expire. (1 - 31536000 sec) range[1-31536000] set max-accounts {integer} Maximum number of guest accounts that can be created for this group (0 means unlimited). range[0-1024] set multiple-guest-add {disable | enable} Enable/disable addition of multiple guests. config guest edit {user-id} # Guest User. set user-id {string} Guest ID. size[64] set name {string} Guest name. size[64] set password {password_string} Guest password. size[128] set mobile-phone {string} Mobile phone. size[35] set sponsor {string} Set the action for the sponsor guest user field. size[35] set company {string} Set the action for the company guest user field. size[35] set email {string} Email. size[64] set expiration {string} Expire time. set comment {string} Comment. size[255] next next end
Additional information
The following section is for those options that require additional explanation.
auth-concurrent-override {enable | disable}
Note: This entry is only available when group-type
is set to either firewall
or guest
.
Enable or disable (by default) overriding the policy-auth-concurrent
entry in the system global
command.
auth-concurrent-value <limit>
Note: This entry is only available when auth-concurrent-override
is set to enable
.
The number of concurrent logins permitted from the same user. Set the value between 1-100, or 0 (by default) for unlimited.
authtimeout <timeout>
Period of time in minutes before the authentication timeout for a user group is reached. Set the value between 1-43200 (or one minute to thirty days). The default is set to 0
, which sets the timeout to use the global authentication value.
company {optional | mandatory | disable}
Note: This entry is only available when group-type
is set to guest
.
Determines whether the guest's company name field on the web-based manager Guest Management form should be optional (by default), mandatory, or disabled.
config guest
Note: When group-type
is set to guest
, guest options will become available and can be set. This configuration method will also become available, however it is not configurable.
config match
Note: This entry is only available when group-type
is set to firewall
.
A configuration method to specify the user group names on the authentication servers that are members of this FortiGate user group. Note that if no matches are specified then all users on the server can authenticate.
email {enable | disable}
Note: This entry is only available when group-type
is set to guest
.
Enable (by default) or disable the email address field in the web-based manager Guest Management form.
expire-type {immediately | first-successful-login}
Note: This entry is only available when group-type
is set to guest
.
Determines when the expiry time countdown begins: immediately (by default) or after the user's first successful login.
expire <seconds>
Note: This entry is only available when group-type
is set to guest
.
The time in seconds the user account has until it expires. Set the value between 1-31536000 (or one second to 365 days). The default is set to 14400
.
group-name <name>
The name of the matching group on the remote authentication server.
group-type {firewall | fsso-service | rsso | guest}
Type of group, which determines the type of user.
firewall
: Those users defined in theuser local
,user ldap
, oruser radius
commandsfsso-service
: Fortinet Single Sign-On (FSSO) usersrsso
: RADIUS Single Sign-On (RSSO) usersguest
: Guest users
http-digest-realm <attribute>
Note: This entry is not available when group-type
is set to rsso
.
The realm attribute for MD5-digest authentication.
max-accounts <limit>
Note: This entry is only available when group-type
is set to guest
.
The maximum number of accounts permitted. The maximum value that can be set depends on the platform. The default is set to 0
, or unlimited.
member <member>
Note: This entry is only available when group-type
is set to either firewall
or fsso-service
.
The names of users, peers, LDAP severs, or RADIUS servers to add to the user group, each separated by a space. Note that, to add or remove names from the group, you must re-enter the whole list with the required additions or deletions. .
The names of users, peers, LDAP severs, or RADIUS servers to add to the user group, each separated by a space. Note that, to add or remove names from the group, you must re-enter the whole list with the required additions or deletions.
mobile-phone {enable | disable}
Note: This entry is only available when group-type
is set to guest
.
Enable or disable (by default) the mobile phone number field in the web-based manager Guest Management form.
multiple-guest-add {enable | disable}
Note: This entry is only available when group-type
is set to guest
.
Enable or disable (by default) the multiple guest add option in the web-based manager User Group form.
password {auto-generate | specify | disable}
Note: This entry is only available when group-type
is set to guest
.
The source of the guest password.
auto-generate
: Create a random user password (by default).specify
: Enter a user password string.disable
: Disables guest user's need for a password.
server-name <name>
The name of the remote authentication server.
sponsor {optional | mandatory | disable}
Note: This entry is only available when group-type
is set to guest
.
Determines whether the sponsor field on the web-based manager Guest Management form should be optional (by default), mandatory, or disabled.
sso-attribute-value <attribute>
Note: This entry is only available when group-type
is set to rsso
.
The name of the RADIUS user group that this local user group represents.
user-id {email | auto-generate | specify}
Note: This entry is only available when group-type
is set to guest
.
The source of the guest user ID.
email
: Use the guest's email address (by default).auto-generate
: Create a random user ID.specify
: Enter a user ID string.
user-name {enable | disable}
Note: This entry is only available when group-type
is set to guest
.
Enable or disable (by default) the guest user name entry.