Fortinet black logo

Users and user groups

Copy Link
Copy Doc ID cf64849f-3ef9-11eb-96b9-00505692583a:946124
Download PDF

Users and user groups

The FortiSwitch unit provides authentication mechanisms to control user access to the system (based on the user group associated with the user). The members of user groups are user accounts. Local users and peer users are defined on the FortiSwitch unit. User accounts can also be defined on remote authentication servers.

This section describes how to configure local users and peer users and how to configure user groups. For information about configuring the authentication servers, see Remote authentication servers.

This chapter covers the following topics:

Users

A user account consists of a user name, password, and potentially other information, configured in a local user database or on an external authentication server.

Users can access resources that require authentication only if they are members of an allowed user group.

Using the GUI:
  1. Go to System > User > Definition.
  2. Select Add User.
  3. Enter the user name.
  4. Select Enable to make the user account active.
  5. Enter the password for the user account. Passwords can be up to 64 characters in length.
  6. Select Add.
Using the CLI:

config user local

edit <user_name>

set ldap-server <server_name>

set passwd <password_string>

set radius-server <server_name>

set tacacs+-server <server_name>

set status {enable | disable}

set type <auth-type>

end

Field

Description

user_name

Identifies the user

password_string

A password for the local user. Passwords can be up to 64 characters in length.

ldap-server <server_name>

To authenticate this user using a password stored on a remote authentication server, select the type of server and then select the server from the list. You can select only a server that has already been added to the FortiSwitch configuration.

radius-server <server_name>

To authenticate this user using a password stored on a remote authentication server, select the type of server and then select the server from the list. You can select only a server that has already been added to the FortiSwitch configuration.

tacacs+-server <server_name>

To authenticate this user using a password stored on a remote authentication server, select the type of server and then select the server from the list. You can select only a server that has already been added to the FortiSwitch configuration.

status

Enable or disable this user.

User groups

A user group contains a list of local and remote users.

Security policies allow access to specified user groups only. This restricted access enforces Role Based Access Control (RBAC) to your organization’s network and its resources. Users must be in a group and that group must be part of the security policy.

Using the GUI:
  1. Go to System > User > Group.
  2. Select Add Group.
  3. Enter the group name.
  4. Select which available users will be members of the new user group.
  5. Enable to make the user account active.
  6. If you want to use an authentication server, select Add Server.
    • Select the server name. If no server name is available, go to System > Authentication to add an authentication server.
    • Enter a group name or select Any.
  7. Select Add Group.
Using the CLI:

config user group

edit <groupname>

set authtimeout <timeout>

set group-type <grp_type>

set http-digest-realm <attribute>

set member <names>

config match

edit <match_id>

set group-name <gname_str>

set server-name <srvname_str>

end

end

The following table describes the parameters:

Field

Description

groupname

Identifies the user group.

authtimeout <timeout>

Sets the authentication timeout for the user group. The range is 1 to 480 minutes. If this field is set to 0, the global authentication timeout value is used.

group-type <grp_type>

Enter the group type. <grp_type> determines the type of users and is one of the following:

  • firewall—FortiSwitch users defined in user local, user ldap, or user radius
  • fsso-service—Directory Service users

http-digest-realm <attribute>

Enter the realm attribute for MD5-digest authentication.

member <names>

Enter the names of users, peers, LDAP servers, or RADIUS servers to add to the user group. Separate the names with spaces. To add or remove names from the group, you must re-enter the whole list with the additions or deletions required.

config match fields

<match_id>

Enter an ID for the entry.

group-name <gname_str>

Identifies the matching group on the remote authentication server.

server-name <srvname_str>

Specifies the remote authentication server.

Users and user groups

The FortiSwitch unit provides authentication mechanisms to control user access to the system (based on the user group associated with the user). The members of user groups are user accounts. Local users and peer users are defined on the FortiSwitch unit. User accounts can also be defined on remote authentication servers.

This section describes how to configure local users and peer users and how to configure user groups. For information about configuring the authentication servers, see Remote authentication servers.

This chapter covers the following topics:

Users

A user account consists of a user name, password, and potentially other information, configured in a local user database or on an external authentication server.

Users can access resources that require authentication only if they are members of an allowed user group.

Using the GUI:
  1. Go to System > User > Definition.
  2. Select Add User.
  3. Enter the user name.
  4. Select Enable to make the user account active.
  5. Enter the password for the user account. Passwords can be up to 64 characters in length.
  6. Select Add.
Using the CLI:

config user local

edit <user_name>

set ldap-server <server_name>

set passwd <password_string>

set radius-server <server_name>

set tacacs+-server <server_name>

set status {enable | disable}

set type <auth-type>

end

Field

Description

user_name

Identifies the user

password_string

A password for the local user. Passwords can be up to 64 characters in length.

ldap-server <server_name>

To authenticate this user using a password stored on a remote authentication server, select the type of server and then select the server from the list. You can select only a server that has already been added to the FortiSwitch configuration.

radius-server <server_name>

To authenticate this user using a password stored on a remote authentication server, select the type of server and then select the server from the list. You can select only a server that has already been added to the FortiSwitch configuration.

tacacs+-server <server_name>

To authenticate this user using a password stored on a remote authentication server, select the type of server and then select the server from the list. You can select only a server that has already been added to the FortiSwitch configuration.

status

Enable or disable this user.

User groups

A user group contains a list of local and remote users.

Security policies allow access to specified user groups only. This restricted access enforces Role Based Access Control (RBAC) to your organization’s network and its resources. Users must be in a group and that group must be part of the security policy.

Using the GUI:
  1. Go to System > User > Group.
  2. Select Add Group.
  3. Enter the group name.
  4. Select which available users will be members of the new user group.
  5. Enable to make the user account active.
  6. If you want to use an authentication server, select Add Server.
    • Select the server name. If no server name is available, go to System > Authentication to add an authentication server.
    • Enter a group name or select Any.
  7. Select Add Group.
Using the CLI:

config user group

edit <groupname>

set authtimeout <timeout>

set group-type <grp_type>

set http-digest-realm <attribute>

set member <names>

config match

edit <match_id>

set group-name <gname_str>

set server-name <srvname_str>

end

end

The following table describes the parameters:

Field

Description

groupname

Identifies the user group.

authtimeout <timeout>

Sets the authentication timeout for the user group. The range is 1 to 480 minutes. If this field is set to 0, the global authentication timeout value is used.

group-type <grp_type>

Enter the group type. <grp_type> determines the type of users and is one of the following:

  • firewall—FortiSwitch users defined in user local, user ldap, or user radius
  • fsso-service—Directory Service users

http-digest-realm <attribute>

Enter the realm attribute for MD5-digest authentication.

member <names>

Enter the names of users, peers, LDAP servers, or RADIUS servers to add to the user group. Separate the names with spaces. To add or remove names from the group, you must re-enter the whole list with the additions or deletions required.

config match fields

<match_id>

Enter an ID for the entry.

group-name <gname_str>

Identifies the matching group on the remote authentication server.

server-name <srvname_str>

Specifies the remote authentication server.