user peer
Use this command to add or edit peer (digital certificate holder) information. Peers that you define can be used in the vpn ipsec phase1
command if peertype
is set to peer
. These peers can also be added to peer groups in the user peergrp
command.
This command refers to certificates imported into the FortiGate unit. You can import CA certificates using the vpn certificate ca
command and local certificates using the vpn certificate local
command.
config user peer edit {name} # Configure peer users. set name {string} Peer name. size[35] set mandatory-ca-verify {enable | disable} Determine what happens to the peer if the CA certificate is not installed. Disable to automatically consider the peer certificate as valid. set ca {string} Name of the CA certificate as returned by the execute vpn certificate ca list command. size[127] - datasource(s): vpn.certificate.ca.name set subject {string} Peer certificate name constraints. size[255] set cn {string} Peer certificate common name. size[255] set cn-type {option} Peer certificate common name type. string Normal string. email Email address. FQDN Fully Qualified Domain Name. ipv4 IPv4 address. ipv6 IPv6 address. set ldap-server {string} Name of an LDAP server defined under the user ldap command. Performs client access rights check. size[35] - datasource(s): user.ldap.name set ldap-username {string} Username for LDAP server bind. size[35] set ldap-password {password_string} Password for LDAP server bind. size[128] set ldap-mode {password | principal-name} Mode for LDAP peer authentication. password Username/password. principal-name Principal name. set ocsp-override-server {string} Online Certificate Status Protocol (OCSP) server for certificate retrieval. size[35] - datasource(s): vpn.certificate.ocsp-server.name set two-factor {enable | disable} Enable/disable two-factor authentication, applying certificate and password-based authentication. set passwd {password_string} Peer's password used for two-factor authentication. size[128] next end
Additional information
The following section is for those options that require additional explanation.
ca <cert-ca>
Name of the CA certificate, as returned by the execute vpn certificate ca list
command.
cn <cert-common-name>
Name of the peer certificate common name.
cn-type {string | email | FQDN | ipv4 | ipv6}
Peer certificate common name type.
string
: Normal string. This is set by default.email
: User's email address.FQDN
: Fully qualified domain name.ipv4
: User's IPv4 address.ipv6
: User's IPv6 address.
ldap-mode {password | principal-name}
Mode for LDAP authentication.
password
: Authenticate through user name and password. This is set by default.principal-name
: Authenticate through LDAP userPrincipalName attribute.
ldap-password <password>
Login password for the LDAP server.
ldap-server <server>
Name of an LDAP server defined under the user ldap
command. Performs client access rights check for the defined peer.
ldap-username <name>
Login name for the LDAP server.
mandatory-ca-verify {enable | disable}
CA certificates installed on the FortiGate unit will check the peer certificate for validity. Enable (by default) or disable to determine what to do if the CA certificate is not installed.
enable
: Peer will not be authenticateddisable
: Peer certificate is automatically considered valid and authenticated
ocsp-override-server <server>
Online Certificate Status Protocol (OCSP) server used to retrieve certificates. This applies if OCSP is enabled in the vpn certificate setting
command.
passwd <password>
Note: This entry is only available when two-factor
is set to enable
.
This peer's password for two-factor authentication.
subject [constraints]
Optionally, enter any peer certificate name constraints; the name defined here must match the certificate name for successful authentication.
two-factor {enable | disable}
Enable or disable (by default) two-factor authentication, applying certificate and password based authentication. Once set, specify the password to use in the passwd
entry (see entry below).