Users
A user is a user account consisting of a username, password, and sometimes other information, that is configured in FortiOS or on an external authentication server. There are several types of user accounts with slightly different methods of authentication.
User type |
Authentication method |
---|---|
Local |
The username and password must match a user account stored in FortiOS. Authentication is done by a firewall policy. |
Remote |
Remote users consist of usernames defined in FortiOS that are authenticated by a remote server. For example, RADIUS, TACACS+, LDAP, or FortiNAC. The server must be configured in FortiOS before creating a user. |
FSSO |
Users on a Microsoft Windows, Citrix, or Novell network can use their network authentication to access resources through the FortiGate. Access is controlled through FSSO user groups, which contain Windows, Citrix, or Novell user groups as members. The FSSO agent must be configured in FortiOS before creating a user (see FSSO). |
PKI or peer |
A PKI or peer user is a digital certificate holder that authenticates using a client certificate. No password is required, unless two-factor authentication is enabled. In the GUI, the User & Authentication > PKI menu is only available after a PKI user is configured in the CLI (see Configuring a PKI user). |
Some user types have an option to enable multi-factor authentication using FortiToken or FortiToken Cloud. In some cases, the user must be defined first, and then can be edited to add multi-factor authentication. See FortiTokens for more information.
To create a user:
- Go to User Authentication > User Definition and click Create New. The Users/Groups Creation Wizard appears.
- Select a User Type and click Next.
- The remaining wizard steps depend on the user type:
- Local User:
- Enter a Username and Password, then click Next.
- Optionally, enable Two-factor Authentication and configure the following:
Authentication Type
Select FortiToken Cloud or FortiToken.
Token
If using FortiToken to authenticate, select a token.
Email Address
Enter an email address.
SMS
Enable to send an SMS message to activate the token.
Country Dial Code
Select the country code.
Phone Number
Enter a phone number.
- Click Next, then click Submit.
- Remote LDAP User:
- Select an LDAP Server, then click Next.
- Select the users to add from the LDAP server. If the user ID matches an existing configured username, it cannot be added.
- Click Submit.
- Remote RADIUS User and Remote TACACS+ User:
- Enter a Username and select the server.
- Click Next.
- Optionally, enable Two-factor Authentication and configure the settings as needed.
- Click Next, then click Submit.
- FSSO:
- Select an FSSO Agent, click the + to add AD Groups, then click Next.
- Select an FSSO group to add the AD Groups to. If an FSSO group already exists (see Configuring FSSO user groups), click Choose Existing and select the group. Otherwise, click Create New, enter a name, and click OK.
- Click Submit.
- Local User: