Fortinet black logo

CLI Reference

user local

Configure local users.

  config user local
      Description: Configure local users.
      edit <name>
          set id {integer}
          set status [enable|disable]
          set type [password|radius|...]
          set passwd {password}
          set ldap-server {string}
          set radius-server {string}
          set tacacs+-server {string}
          set two-factor [disable|fortitoken|...]
          set two-factor-authentication [fortitoken|email|...]
          set two-factor-notification [email|sms]
          set fortitoken {string}
          set email-to {string}
          set sms-server [fortiguard|custom]
          set sms-custom-server {string}
          set sms-phone {string}
          set passwd-policy {string}
          set passwd-time {user}
          set authtimeout {integer}
          set workstation {string}
          set auth-concurrent-override [enable|disable]
          set auth-concurrent-value {integer}
          set ppk-secret {password-3}
          set ppk-identity {string}
          set username-case-sensitivity [disable|enable]
      next
  end

config user local

Parameter Name Description Type Size
id User ID. integer Minimum value: 0 Maximum value: 4294967295
status Enable/disable allowing the local user to authenticate with the FortiGate unit.
enable: Enable user.
disable: Disable user.
option -
type Authentication method.
password: Password authentication.
radius: RADIUS server authentication.
tacacs+: TACACS+ server authentication.
ldap: LDAP server authentication.
option -
passwd User's password. password Not Specified
ldap-server Name of LDAP server with which the user must authenticate. string Maximum length: 35
radius-server Name of RADIUS server with which the user must authenticate. string Maximum length: 35
tacacs+-server Name of TACACS+ server with which the user must authenticate. string Maximum length: 35
two-factor Enable/disable two-factor authentication.
disable: disable
fortitoken: FortiToken
fortitoken-cloud: FortiToken Cloud Service.
email: Email authentication code.
sms: SMS authentication code.
option -
two-factor-authentication Authentication method by FortiToken Cloud.
fortitoken: FortiToken authentication.
email: Email one time password.
sms: SMS one time password.
option -
two-factor-notification Notification method for user activation by FortiToken Cloud.
email: Email notification for activation code.
sms: SMS notification for activation code.
option -
fortitoken Two-factor recipient's FortiToken serial number. string Maximum length: 16
email-to Two-factor recipient's email address. string Maximum length: 63
sms-server Send SMS through FortiGuard or other external server.
fortiguard: Send SMS by FortiGuard.
custom: Send SMS by custom server.
option -
sms-custom-server Two-factor recipient's SMS server. string Maximum length: 35
sms-phone Two-factor recipient's mobile phone number. string Maximum length: 15
passwd-policy Password policy to apply to this user, as defined in config user password-policy. string Maximum length: 35
passwd-time Time of the last password update. user Not Specified
authtimeout Time in minutes before the authentication timeout for a user is reached. integer Minimum value: 0 Maximum value: 1440
workstation Name of the remote user workstation, if you want to limit the user to authenticate only from a particular workstation. string Maximum length: 35
auth-concurrent-override Enable/disable overriding the policy-auth-concurrent under config system global.
enable: Enable auth-concurrent-override.
disable: Disable auth-concurrent-override.
option -
auth-concurrent-value Maximum number of concurrent logins permitted from the same user. integer Minimum value: 0 Maximum value: 100
ppk-secret IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x). password-3 Not Specified
ppk-identity IKEv2 Postquantum Preshared Key Identity. string Maximum length: 35
username-case-sensitivity Enable/disable case sensitivity when performing username matching (uppercase and lowercase letters are treated either as distinct or equivalent).
disable: Ignore case. Username at prompt not required to match case.
enable: Do not ignore case. Username at prompt must match case.
option -

Configure local users.

  config user local
      Description: Configure local users.
      edit <name>
          set id {integer}
          set status [enable|disable]
          set type [password|radius|...]
          set passwd {password}
          set ldap-server {string}
          set radius-server {string}
          set tacacs+-server {string}
          set two-factor [disable|fortitoken|...]
          set two-factor-authentication [fortitoken|email|...]
          set two-factor-notification [email|sms]
          set fortitoken {string}
          set email-to {string}
          set sms-server [fortiguard|custom]
          set sms-custom-server {string}
          set sms-phone {string}
          set passwd-policy {string}
          set passwd-time {user}
          set authtimeout {integer}
          set workstation {string}
          set auth-concurrent-override [enable|disable]
          set auth-concurrent-value {integer}
          set ppk-secret {password-3}
          set ppk-identity {string}
          set username-case-sensitivity [disable|enable]
      next
  end

config user local

Parameter Name Description Type Size
id User ID. integer Minimum value: 0 Maximum value: 4294967295
status Enable/disable allowing the local user to authenticate with the FortiGate unit.
enable: Enable user.
disable: Disable user.
option -
type Authentication method.
password: Password authentication.
radius: RADIUS server authentication.
tacacs+: TACACS+ server authentication.
ldap: LDAP server authentication.
option -
passwd User's password. password Not Specified
ldap-server Name of LDAP server with which the user must authenticate. string Maximum length: 35
radius-server Name of RADIUS server with which the user must authenticate. string Maximum length: 35
tacacs+-server Name of TACACS+ server with which the user must authenticate. string Maximum length: 35
two-factor Enable/disable two-factor authentication.
disable: disable
fortitoken: FortiToken
fortitoken-cloud: FortiToken Cloud Service.
email: Email authentication code.
sms: SMS authentication code.
option -
two-factor-authentication Authentication method by FortiToken Cloud.
fortitoken: FortiToken authentication.
email: Email one time password.
sms: SMS one time password.
option -
two-factor-notification Notification method for user activation by FortiToken Cloud.
email: Email notification for activation code.
sms: SMS notification for activation code.
option -
fortitoken Two-factor recipient's FortiToken serial number. string Maximum length: 16
email-to Two-factor recipient's email address. string Maximum length: 63
sms-server Send SMS through FortiGuard or other external server.
fortiguard: Send SMS by FortiGuard.
custom: Send SMS by custom server.
option -
sms-custom-server Two-factor recipient's SMS server. string Maximum length: 35
sms-phone Two-factor recipient's mobile phone number. string Maximum length: 15
passwd-policy Password policy to apply to this user, as defined in config user password-policy. string Maximum length: 35
passwd-time Time of the last password update. user Not Specified
authtimeout Time in minutes before the authentication timeout for a user is reached. integer Minimum value: 0 Maximum value: 1440
workstation Name of the remote user workstation, if you want to limit the user to authenticate only from a particular workstation. string Maximum length: 35
auth-concurrent-override Enable/disable overriding the policy-auth-concurrent under config system global.
enable: Enable auth-concurrent-override.
disable: Disable auth-concurrent-override.
option -
auth-concurrent-value Maximum number of concurrent logins permitted from the same user. integer Minimum value: 0 Maximum value: 100
ppk-secret IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x). password-3 Not Specified
ppk-identity IKEv2 Postquantum Preshared Key Identity. string Maximum length: 35
username-case-sensitivity Enable/disable case sensitivity when performing username matching (uppercase and lowercase letters are treated either as distinct or equivalent).
disable: Ignore case. Username at prompt not required to match case.
enable: Do not ignore case. Username at prompt must match case.
option -