Fortinet black logo

CLI Reference

user local

Configure local users.

  config user local
      Description: Configure local users.
      edit <name>
          set id {integer}
          set status [enable|disable]
          set type [password|radius|...]
          set passwd {password}
          set ldap-server {string}
          set radius-server {string}
          set tacacs+-server {string}
          set two-factor [disable|fortitoken|...]
          set fortitoken {string}
          set email-to {string}
          set sms-server [fortiguard|custom]
          set sms-custom-server {string}
          set sms-phone {string}
          set passwd-policy {string}
          set passwd-time {user}
          set authtimeout {integer}
          set workstation {string}
          set auth-concurrent-override [enable|disable]
          set auth-concurrent-value {integer}
          set ppk-secret {password-3}
          set ppk-identity {string}
      next
  end

config user local

Parameter Name Description Type Size
id User ID. integer Minimum value: 0 Maximum value: 4294967295
status Enable/disable allowing the local user to authenticate with the FortiGate unit.
enable: Enable user.
disable: Disable user.
option -
type Authentication method.
password: Password authentication.
radius: RADIUS server authentication.
tacacs+: TACACS+ server authentication.
ldap: LDAP server authentication.
option -
passwd User's password. password Not Specified
ldap-server Name of LDAP server with which the user must authenticate. string Maximum length: 35
radius-server Name of RADIUS server with which the user must authenticate. string Maximum length: 35
tacacs+-server Name of TACACS+ server with which the user must authenticate. string Maximum length: 35
two-factor Enable/disable two-factor authentication.
disable: disable
fortitoken: FortiToken
email: Email authentication code.
sms: SMS authentication code.
fortitoken-cloud: FortiToken Cloud Service.
option -
fortitoken Two-factor recipient's FortiToken serial number. string Maximum length: 16
email-to Two-factor recipient's email address. string Maximum length: 63
sms-server Send SMS through FortiGuard or other external server.
fortiguard: Send SMS by FortiGuard.
custom: Send SMS by custom server.
option -
sms-custom-server Two-factor recipient's SMS server. string Maximum length: 35
sms-phone Two-factor recipient's mobile phone number. string Maximum length: 15
passwd-policy Password policy to apply to this user, as defined in config user password-policy. string Maximum length: 35
passwd-time Time of the last password update. user Not Specified
authtimeout Time in minutes before the authentication timeout for a user is reached. integer Minimum value: 0 Maximum value: 1440
workstation Name of the remote user workstation, if you want to limit the user to authenticate only from a particular workstation. string Maximum length: 35
auth-concurrent-override Enable/disable overriding the policy-auth-concurrent under config system global.
enable: Enable auth-concurrent-override.
disable: Disable auth-concurrent-override.
option -
auth-concurrent-value Maximum number of concurrent logins permitted from the same user. integer Minimum value: 0 Maximum value: 100
ppk-secret IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x). password-3 Not Specified
ppk-identity IKEv2 Postquantum Preshared Key Identity. string Maximum length: 35

Configure local users.

  config user local
      Description: Configure local users.
      edit <name>
          set id {integer}
          set status [enable|disable]
          set type [password|radius|...]
          set passwd {password}
          set ldap-server {string}
          set radius-server {string}
          set tacacs+-server {string}
          set two-factor [disable|fortitoken|...]
          set fortitoken {string}
          set email-to {string}
          set sms-server [fortiguard|custom]
          set sms-custom-server {string}
          set sms-phone {string}
          set passwd-policy {string}
          set passwd-time {user}
          set authtimeout {integer}
          set workstation {string}
          set auth-concurrent-override [enable|disable]
          set auth-concurrent-value {integer}
          set ppk-secret {password-3}
          set ppk-identity {string}
      next
  end

config user local

Parameter Name Description Type Size
id User ID. integer Minimum value: 0 Maximum value: 4294967295
status Enable/disable allowing the local user to authenticate with the FortiGate unit.
enable: Enable user.
disable: Disable user.
option -
type Authentication method.
password: Password authentication.
radius: RADIUS server authentication.
tacacs+: TACACS+ server authentication.
ldap: LDAP server authentication.
option -
passwd User's password. password Not Specified
ldap-server Name of LDAP server with which the user must authenticate. string Maximum length: 35
radius-server Name of RADIUS server with which the user must authenticate. string Maximum length: 35
tacacs+-server Name of TACACS+ server with which the user must authenticate. string Maximum length: 35
two-factor Enable/disable two-factor authentication.
disable: disable
fortitoken: FortiToken
email: Email authentication code.
sms: SMS authentication code.
fortitoken-cloud: FortiToken Cloud Service.
option -
fortitoken Two-factor recipient's FortiToken serial number. string Maximum length: 16
email-to Two-factor recipient's email address. string Maximum length: 63
sms-server Send SMS through FortiGuard or other external server.
fortiguard: Send SMS by FortiGuard.
custom: Send SMS by custom server.
option -
sms-custom-server Two-factor recipient's SMS server. string Maximum length: 35
sms-phone Two-factor recipient's mobile phone number. string Maximum length: 15
passwd-policy Password policy to apply to this user, as defined in config user password-policy. string Maximum length: 35
passwd-time Time of the last password update. user Not Specified
authtimeout Time in minutes before the authentication timeout for a user is reached. integer Minimum value: 0 Maximum value: 1440
workstation Name of the remote user workstation, if you want to limit the user to authenticate only from a particular workstation. string Maximum length: 35
auth-concurrent-override Enable/disable overriding the policy-auth-concurrent under config system global.
enable: Enable auth-concurrent-override.
disable: Disable auth-concurrent-override.
option -
auth-concurrent-value Maximum number of concurrent logins permitted from the same user. integer Minimum value: 0 Maximum value: 100
ppk-secret IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x). password-3 Not Specified
ppk-identity IKEv2 Postquantum Preshared Key Identity. string Maximum length: 35