Fortinet white logo
Fortinet white logo

CLI Reference

config user local

config user local

Configure local users.

config user local

Description: Configure local users.

edit <name>

set id {integer}

set status [enable|disable]

set type [password|radius|...]

set passwd {password}

set ldap-server {string}

set radius-server {string}

set tacacs+-server {string}

set two-factor [disable|fortitoken|...]

set two-factor-authentication [fortitoken|email|...]

set two-factor-notification [email|sms]

set fortitoken {string}

set email-to {string}

set sms-server [fortiguard|custom]

set sms-custom-server {string}

set sms-phone {string}

set passwd-policy {string}

set passwd-time {user}

set authtimeout {integer}

set workstation {string}

set auth-concurrent-override [enable|disable]

set auth-concurrent-value {integer}

set ppk-secret {password-3}

set ppk-identity {string}

set username-sensitivity [disable|enable]

next

end

config user local

Parameter

Description

Type

Size

id

User ID.

integer

Minimum value: 0 Maximum value: 4294967295

status

Enable/disable allowing the local user to authenticate with the FortiGate unit.

option

-

Option

Description

enable

Enable user.

disable

Disable user.

type

Authentication method.

option

-

Option

Description

password

Password authentication.

radius

RADIUS server authentication.

tacacs+

TACACS+ server authentication.

ldap

LDAP server authentication.

passwd

User's password.

password

Not Specified

ldap-server

Name of LDAP server with which the user must authenticate.

string

Not Specified

radius-server

Name of RADIUS server with which the user must authenticate.

string

Not Specified

tacacs+-server

Name of TACACS+ server with which the user must authenticate.

string

Not Specified

two-factor

Enable/disable two-factor authentication.

option

-

Option

Description

disable

disable

fortitoken

FortiToken

fortitoken-cloud

FortiToken Cloud Service.

email

Email authentication code.

sms

SMS authentication code.

two-factor-authentication

Authentication method by FortiToken Cloud.

option

-

Option

Description

fortitoken

FortiToken authentication.

email

Email one time password.

sms

SMS one time password.

two-factor-notification

Notification method for user activation by FortiToken Cloud.

option

-

Option

Description

email

Email notification for activation code.

sms

SMS notification for activation code.

fortitoken

Two-factor recipient's FortiToken serial number.

string

Not Specified

email-to

Two-factor recipient's email address.

string

Not Specified

sms-server

Send SMS through FortiGuard or other external server.

option

-

Option

Description

fortiguard

Send SMS by FortiGuard.

custom

Send SMS by custom server.

sms-custom-server

Two-factor recipient's SMS server.

string

Not Specified

sms-phone

Two-factor recipient's mobile phone number.

string

Not Specified

passwd-policy

Password policy to apply to this user, as defined in config user password-policy.

string

Not Specified

passwd-time

Time of the last password update.

user

Not Specified

authtimeout

Time in minutes before the authentication timeout for a user is reached.

integer

Minimum value: 0 Maximum value: 1440

workstation

Name of the remote user workstation, if you want to limit the user to authenticate only from a particular workstation.

string

Not Specified

auth-concurrent-override

Enable/disable overriding the policy-auth-concurrent under config system global.

option

-

Option

Description

enable

Enable auth-concurrent-override.

disable

Disable auth-concurrent-override.

auth-concurrent-value

Maximum number of concurrent logins permitted from the same user.

integer

Minimum value: 0 Maximum value: 100

ppk-secret

IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).

password-3

Not Specified

ppk-identity

IKEv2 Postquantum Preshared Key Identity.

string

Not Specified

username-sensitivity

Enable/disable case and accent sensitivity when performing username matching (accents are stripped and case is ignored when disabled).

option

-

Option

Description

disable

Ignore case and accents. Username at prompt not required to match case or accents.

enable

Do not ignore case and accents. Username at prompt must be an exact match.

config user local

config user local

Configure local users.

config user local

Description: Configure local users.

edit <name>

set id {integer}

set status [enable|disable]

set type [password|radius|...]

set passwd {password}

set ldap-server {string}

set radius-server {string}

set tacacs+-server {string}

set two-factor [disable|fortitoken|...]

set two-factor-authentication [fortitoken|email|...]

set two-factor-notification [email|sms]

set fortitoken {string}

set email-to {string}

set sms-server [fortiguard|custom]

set sms-custom-server {string}

set sms-phone {string}

set passwd-policy {string}

set passwd-time {user}

set authtimeout {integer}

set workstation {string}

set auth-concurrent-override [enable|disable]

set auth-concurrent-value {integer}

set ppk-secret {password-3}

set ppk-identity {string}

set username-sensitivity [disable|enable]

next

end

config user local

Parameter

Description

Type

Size

id

User ID.

integer

Minimum value: 0 Maximum value: 4294967295

status

Enable/disable allowing the local user to authenticate with the FortiGate unit.

option

-

Option

Description

enable

Enable user.

disable

Disable user.

type

Authentication method.

option

-

Option

Description

password

Password authentication.

radius

RADIUS server authentication.

tacacs+

TACACS+ server authentication.

ldap

LDAP server authentication.

passwd

User's password.

password

Not Specified

ldap-server

Name of LDAP server with which the user must authenticate.

string

Not Specified

radius-server

Name of RADIUS server with which the user must authenticate.

string

Not Specified

tacacs+-server

Name of TACACS+ server with which the user must authenticate.

string

Not Specified

two-factor

Enable/disable two-factor authentication.

option

-

Option

Description

disable

disable

fortitoken

FortiToken

fortitoken-cloud

FortiToken Cloud Service.

email

Email authentication code.

sms

SMS authentication code.

two-factor-authentication

Authentication method by FortiToken Cloud.

option

-

Option

Description

fortitoken

FortiToken authentication.

email

Email one time password.

sms

SMS one time password.

two-factor-notification

Notification method for user activation by FortiToken Cloud.

option

-

Option

Description

email

Email notification for activation code.

sms

SMS notification for activation code.

fortitoken

Two-factor recipient's FortiToken serial number.

string

Not Specified

email-to

Two-factor recipient's email address.

string

Not Specified

sms-server

Send SMS through FortiGuard or other external server.

option

-

Option

Description

fortiguard

Send SMS by FortiGuard.

custom

Send SMS by custom server.

sms-custom-server

Two-factor recipient's SMS server.

string

Not Specified

sms-phone

Two-factor recipient's mobile phone number.

string

Not Specified

passwd-policy

Password policy to apply to this user, as defined in config user password-policy.

string

Not Specified

passwd-time

Time of the last password update.

user

Not Specified

authtimeout

Time in minutes before the authentication timeout for a user is reached.

integer

Minimum value: 0 Maximum value: 1440

workstation

Name of the remote user workstation, if you want to limit the user to authenticate only from a particular workstation.

string

Not Specified

auth-concurrent-override

Enable/disable overriding the policy-auth-concurrent under config system global.

option

-

Option

Description

enable

Enable auth-concurrent-override.

disable

Disable auth-concurrent-override.

auth-concurrent-value

Maximum number of concurrent logins permitted from the same user.

integer

Minimum value: 0 Maximum value: 100

ppk-secret

IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).

password-3

Not Specified

ppk-identity

IKEv2 Postquantum Preshared Key Identity.

string

Not Specified

username-sensitivity

Enable/disable case and accent sensitivity when performing username matching (accents are stripped and case is ignored when disabled).

option

-

Option

Description

disable

Ignore case and accents. Username at prompt not required to match case or accents.

enable

Do not ignore case and accents. Username at prompt must be an exact match.