Fortinet black logo

CLI Reference

config user local

config user local

Configure local users.

config user local

Description: Configure local users.

edit <name>

set id {integer}

set status [enable|disable]

set type [password|radius|...]

set passwd {password}

set ldap-server {string}

set radius-server {string}

set tacacs+-server {string}

set two-factor [disable|fortitoken|...]

set two-factor-authentication [fortitoken|email|...]

set two-factor-notification [email|sms]

set fortitoken {string}

set email-to {string}

set sms-server [fortiguard|custom]

set sms-custom-server {string}

set sms-phone {string}

set passwd-policy {string}

set passwd-time {user}

set authtimeout {integer}

set workstation {string}

set auth-concurrent-override [enable|disable]

set auth-concurrent-value {integer}

set ppk-secret {password-3}

set ppk-identity {string}

set username-sensitivity [disable|enable]

next

end

config user local

Parameter

Description

Type

Size

Default

id

User ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

status

Enable/disable allowing the local user to authenticate with the FortiGate unit.

option

-

enable

Option

Description

enable

Enable user.

disable

Disable user.

type

Authentication method.

option

-

password

Option

Description

password

Password authentication.

radius

RADIUS server authentication.

tacacs+

TACACS+ server authentication.

ldap

LDAP server authentication.

passwd

User's password.

password

Not Specified

ldap-server

Name of LDAP server with which the user must authenticate.

string

Maximum length: 35

radius-server

Name of RADIUS server with which the user must authenticate.

string

Maximum length: 35

tacacs+-server

Name of TACACS+ server with which the user must authenticate.

string

Maximum length: 35

two-factor

Enable/disable two-factor authentication.

option

-

disable

Option

Description

disable

disable

fortitoken

FortiToken

fortitoken-cloud

FortiToken Cloud Service.

email

Email authentication code.

sms

SMS authentication code.

two-factor-authentication

Authentication method by FortiToken Cloud.

option

-

Option

Description

fortitoken

FortiToken authentication.

email

Email one time password.

sms

SMS one time password.

two-factor-notification

Notification method for user activation by FortiToken Cloud.

option

-

Option

Description

email

Email notification for activation code.

sms

SMS notification for activation code.

fortitoken

Two-factor recipient's FortiToken serial number.

string

Maximum length: 16

email-to

Two-factor recipient's email address.

string

Maximum length: 63

sms-server

Send SMS through FortiGuard or other external server.

option

-

fortiguard

Option

Description

fortiguard

Send SMS by FortiGuard.

custom

Send SMS by custom server.

sms-custom-server

Two-factor recipient's SMS server.

string

Maximum length: 35

sms-phone

Two-factor recipient's mobile phone number.

string

Maximum length: 15

passwd-policy

Password policy to apply to this user, as defined in config user password-policy.

string

Maximum length: 35

passwd-time

Time of the last password update.

user

Not Specified

authtimeout

Time in minutes before the authentication timeout for a user is reached.

integer

Minimum value: 0 Maximum value: 1440

0

workstation

Name of the remote user workstation, if you want to limit the user to authenticate only from a particular workstation.

string

Maximum length: 35

auth-concurrent-override

Enable/disable overriding the policy-auth-concurrent under config system global.

option

-

disable

Option

Description

enable

Enable auth-concurrent-override.

disable

Disable auth-concurrent-override.

auth-concurrent-value

Maximum number of concurrent logins permitted from the same user.

integer

Minimum value: 0 Maximum value: 100

0

ppk-secret

IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).

password-3

Not Specified

ppk-identity

IKEv2 Postquantum Preshared Key Identity.

string

Maximum length: 35

username-sensitivity

Enable/disable case and accent sensitivity when performing username matching (accents are stripped and case is ignored when disabled).

option

-

enable

Option

Description

disable

Ignore case and accents. Username at prompt not required to match case or accents.

enable

Do not ignore case and accents. Username at prompt must be an exact match.

config user local

Configure local users.

config user local

Description: Configure local users.

edit <name>

set id {integer}

set status [enable|disable]

set type [password|radius|...]

set passwd {password}

set ldap-server {string}

set radius-server {string}

set tacacs+-server {string}

set two-factor [disable|fortitoken|...]

set two-factor-authentication [fortitoken|email|...]

set two-factor-notification [email|sms]

set fortitoken {string}

set email-to {string}

set sms-server [fortiguard|custom]

set sms-custom-server {string}

set sms-phone {string}

set passwd-policy {string}

set passwd-time {user}

set authtimeout {integer}

set workstation {string}

set auth-concurrent-override [enable|disable]

set auth-concurrent-value {integer}

set ppk-secret {password-3}

set ppk-identity {string}

set username-sensitivity [disable|enable]

next

end

config user local

Parameter

Description

Type

Size

Default

id

User ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

status

Enable/disable allowing the local user to authenticate with the FortiGate unit.

option

-

enable

Option

Description

enable

Enable user.

disable

Disable user.

type

Authentication method.

option

-

password

Option

Description

password

Password authentication.

radius

RADIUS server authentication.

tacacs+

TACACS+ server authentication.

ldap

LDAP server authentication.

passwd

User's password.

password

Not Specified

ldap-server

Name of LDAP server with which the user must authenticate.

string

Maximum length: 35

radius-server

Name of RADIUS server with which the user must authenticate.

string

Maximum length: 35

tacacs+-server

Name of TACACS+ server with which the user must authenticate.

string

Maximum length: 35

two-factor

Enable/disable two-factor authentication.

option

-

disable

Option

Description

disable

disable

fortitoken

FortiToken

fortitoken-cloud

FortiToken Cloud Service.

email

Email authentication code.

sms

SMS authentication code.

two-factor-authentication

Authentication method by FortiToken Cloud.

option

-

Option

Description

fortitoken

FortiToken authentication.

email

Email one time password.

sms

SMS one time password.

two-factor-notification

Notification method for user activation by FortiToken Cloud.

option

-

Option

Description

email

Email notification for activation code.

sms

SMS notification for activation code.

fortitoken

Two-factor recipient's FortiToken serial number.

string

Maximum length: 16

email-to

Two-factor recipient's email address.

string

Maximum length: 63

sms-server

Send SMS through FortiGuard or other external server.

option

-

fortiguard

Option

Description

fortiguard

Send SMS by FortiGuard.

custom

Send SMS by custom server.

sms-custom-server

Two-factor recipient's SMS server.

string

Maximum length: 35

sms-phone

Two-factor recipient's mobile phone number.

string

Maximum length: 15

passwd-policy

Password policy to apply to this user, as defined in config user password-policy.

string

Maximum length: 35

passwd-time

Time of the last password update.

user

Not Specified

authtimeout

Time in minutes before the authentication timeout for a user is reached.

integer

Minimum value: 0 Maximum value: 1440

0

workstation

Name of the remote user workstation, if you want to limit the user to authenticate only from a particular workstation.

string

Maximum length: 35

auth-concurrent-override

Enable/disable overriding the policy-auth-concurrent under config system global.

option

-

disable

Option

Description

enable

Enable auth-concurrent-override.

disable

Disable auth-concurrent-override.

auth-concurrent-value

Maximum number of concurrent logins permitted from the same user.

integer

Minimum value: 0 Maximum value: 100

0

ppk-secret

IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).

password-3

Not Specified

ppk-identity

IKEv2 Postquantum Preshared Key Identity.

string

Maximum length: 35

username-sensitivity

Enable/disable case and accent sensitivity when performing username matching (accents are stripped and case is ignored when disabled).

option

-

enable

Option

Description

disable

Ignore case and accents. Username at prompt not required to match case or accents.

enable

Do not ignore case and accents. Username at prompt must be an exact match.