config user
The config user
commands provide configuration of user accounts and user groups for firewall policy authentication, administrator authentication, and some types of VPN authentication:
- config user group
- config user ldap
- config user local
- config user peer
- config user peergrp
- config user radius
- config user setting
- config user tacacs+
config user group
Use this command to add or edit user groups.
Syntax
config user group
edit <group_name>
set group-type <grp_type>
set authtimeout <timeout>
set http-digest-realm <attribute>
set member <names>
config match
edit <match_id>
set group-name <gname_str>
set server-name <srvname_str>
end
end
Variable |
Description |
Default |
<group_name> |
Enter a new name to create a new group or enter an existing group name to edit that group. |
No default |
group-type <grp_type> |
Enter the group type. <grp_type> determines the type of users and is one of the following:
|
firewall |
authtimeout <timeout> |
Set the authentication timeout for the user group, range 1 to 480 minutes. If set to 0, the global authentication timeout value is used. |
0 |
http-digest-realm <attribute> |
Enter the realm attribute for MD5-digest authentication |
No default |
member <names> |
Enter the names of users, peers, LDAP servers, or RADIUS servers to add to the user group. Separate the names with spaces. To add or remove names from the group you must re-enter the whole list with the additions or deletions required. |
No default |
config match |
||
<match_id> |
Enter an ID for the entry. |
No default |
group-name <gname_str> |
The name of the matching group on the remote authentication server. Specify the user group names on the authentication servers that are members of this FortiSwitch user group. If no matches are specified, all users on the server can authenticate. |
No default |
server-name <srvname_str> |
The name of the remote authentication server. |
No default |
Example
This example shows how to create a user group:
config user group
edit "Radius_group"
set member "FortiAuthenticator"
end
end
config user ldap
Use this command to add or edit the definition of an LDAP server for user authentication.
To authenticate with the FortiSwitch unit, the user enters a user name and password. The system sends this user name and password to the LDAP server. If the LDAP server can authenticate the user, the user is successfully authenticated with the FortiSwitch unit. If the LDAP server cannot authenticate the user, the connection is refused by the FortiSwitch unit.
Syntax
config user ldap
edit <server_name>
set cnid <id>
set dn <dname>
set group-member-check {user-attr | group-object}
set member-attr <attr_name>
set port <number>
set server <domain>
set type <auth_type>
set username <ldap_username>
set password <ldap_passwd>
set password-expiry-warning {disable | enable}
set password-renewal {disable | enable}
set secure <auth_port>
end
Variable |
Description |
Default |
<server_name> |
Enter a name to identify the LDAP server. Enter a new name to create a new server definition or enter an existing server name to edit that server definition. |
No default |
cnid <id> |
Enter the common name identifier for the LDAP server. The common name identifier for most LDAP servers is cn. However some servers use other common name identifiers such as uid. Maximum 20 characters. |
cn |
dn <dname> |
Enter the distinguished name used to look up entries on the LDAP server. It reflects the hierarchy of LDAP database object classes above the Common Name Identifier. The FortiSwitch passes this distinguished name unchanged to the server. You must provide a Maximum 512 characters. |
No default |
group-member-check {user-attr | group-object} |
Select the group membership checking method: user attribute or group object. |
user-attr |
member-attr <attr_name> |
An attribute of the group that is used to authenticate users. |
No default |
port <number> |
Enter the port number for communication with the LDAP server. |
389 |
server <domain> |
Enter the LDAP server domain name or IP address. |
No default |
type <auth_type> |
Enter the authentication type for LDAP searches. One of: See the notes following the table for additional information. |
simple |
username <ldap_username> |
This field is available only if |
No default |
password <ldap_passwd> |
This field is available only if |
No default |
password-expiry-warning {disable | enable} |
Enable or disable password expiry warnings. |
disable |
password-renewal {disable | enable} |
Enable or disable online password renewal. |
disable |
secure <auth_port>{disable | starttls | ldaps} |
Select the port to be used in authentication:
|
disable |
Notes on Authentication Type
The following are the authentication types for LDAP searches:
anonymous
—bind using anonymous user searchregular
—bind using user name and password and then searchsimple
—simple password authentication without search
You can use simple
authentication if the user records are all under one dn
that you know. If the users are under more than one dn
, use the anonymous
or regular
type, which can search the entire LDAP database for the required user name.
If your LDAP server requires authentication to perform searches, use the regular
type and provide values for username
and password
.
config user local
Use this command to add local user names and configure user authentication for the system. To add authentication by LDAP or RADIUS server you must first add servers using the config user ldap
and config user radius
commands.
Syntax
config user local
edit <user_name>
set ldap-server <server_name>
set passwd <password_str>
set radius-server <server_name>
set tacacs+-server <server_name>
set status {enable | disable}
set type <auth-type>
end
Variable |
Description |
Default |
<user_name> |
Enter the user name. Enter a new name to create a new user account or enter an existing user name to edit that account. |
No default |
ldap-server <server_name> |
Enter the name of the LDAP server with which the user must authenticate. You can only select an LDAP server that has been added to the list of LDAP servers. This option is available when |
No default |
passwd <password_str> |
Enter the password with which the user must authenticate. Passwords at least 6 characters long provide better security than shorter passwords. This option is available when |
No default |
radius-server <server_name> |
Enter the name of the RADIUS server with which the user must authenticate. You can only select a RADIUS server that has been added to the list of RADIUS servers. This option is available when |
No default |
tacacs+-server <server_name> |
Enter the name of the TACACS+ server with which the user must authenticate. This option is available when |
No default |
status {enable | disable} |
Enter |
enable |
type <auth-type> |
Enter one of the following to specify how this user’s password is verified:
|
No default |
config user peer
Use this command to configure a peer user.
Syntax
config user peer
edit <peer_name>
set ca {Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA | Fortinet_CA | Fortinet_CA2}
set cn <string>
set cn-type {FQDN | email | ipv4 | ipv6 | string}
set ldap-mode {password | principal-name}
set ldap-password <password>
set ldap-server <string>
set ldap-username <string>
set mandatory-ca-verify {enable | disable}
set passwd <password>
set subject <string>
set two-factor {enable |disable}
next
end
Variable |
Description |
Default |
<peer_name> |
Enter the name of the peer user. |
No default |
ca {Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA | Fortinet_CA | Fortinet_CA2} |
Select a certificate authority (CA) for the peer certificate. |
No default |
cn <string> |
Enter the common name for the peer certificate. |
No default |
cn-type {FQDN | email | ipv4 | ipv6 | string} |
Enter the type of common name for the peer certificate: fully qualified domain name, email address, IPv4 address, IPv6 address, or a text description. |
string |
ldap-mode {password | principal-name} |
Select whether the peer LDAP requires a password or an email address. The password is specified with the |
password |
ldap-password <password> |
Enter the password for the peer LDAP. This option is available only when the |
No default |
ldap-server <string> |
Enter the name of the LDAP server used for checking access permission. |
No default |
ldap-username <string> |
Enter the user name for the LDAP server. |
No default |
mandatory-ca-verify {enable | disable} |
Enable or disable whether there is mandatory CA verification. |
disable |
passwd <password> |
Enter the user password for two-factor authentication. This option is available only when |
No default |
subject <string> |
Enter any limitations on the peer certificate name. |
No default |
two-factor {enable |disable} |
Enable or disable two-factor authentication. When this option is enabled, the certificate and password are required. Specify the password in the |
disable |
config user peergrp
Use this command to configure a peer user group.
Syntax
config user peergrp
edit <peer_group_name>
set member <list_of_peer_names>
next
end
Variable |
Description |
Default |
<peer_group_name> |
Enter a name for the new peer group. |
No default |
<list_of_peer_names> |
Enter one of more peer users. Separate the names with a space. The peer users must already be configured with the |
No default |
config user radius
Use this command to add or edit the information used for RADIUS authentication.
The default port for RADIUS traffic is 1812. If your RADIUS server is using a different port you can change the default RADIUS port. You may set a different port for each of your RADIUS servers. The maximum number of remote RADIUS servers that can be configured for authentication is 10.
The RADIUS server is provided with more information to make authentication decisions, based on values in server
, nas-ip
, and the config user group
subcommand config match
. Attributes include:
- NAS-IP-Address — RADIUS setting or IPv4 address of FortiSwitch interface used to talk to RADIUS server, if not configured
- NAS-IPv6-Address — RADIUS setting or IPv6 address of FortiSwitch interface used to talk to RADIUS server, if not configured
- NAS-Port — physical interface number of the traffic that triggered the authentication
- Called-Station-ID — same value as NAS-IP Address but in text format
- Fortinet-Vdom-Name — name of VDOM of the traffic that triggered the authentication
- NAS-Identifier — configured hostname in non-HA mode; HA cluster group name in HA mode
- Acct-Session-ID — unique ID identifying the authentication session
- Connect-Info — identifies the service for which the authentication is being performed (web-auth, vpn-ipsec, vpn-pptp, vpn-l2tp, vpn-ssl, admin-login, test)
You can select an alternative authentication method for each server. These include CHAP, PAP, MS-CHAP, and MS-CHAP-v2.
Syntax
config user radius
edit <RADIUS_user_name>
set acct-fast-framedip-detect <integer>
set acct-interim-interval <integer>
set addr-mode {ipv4 | ipv6)
set all-usergroup {enable | disable}
set auth-type {auto | chap | ms_chap | ms_chap_v2 | pap}
set frame-mtu-size <integer>
set link-monitor {enable | disable}
set link-monitor-interval <5-120>
set nas-ip <use_ip>
set nas-ip6 <ipv6_addr>
set radius-coa {enable | disable}
set radius-port <radius_port_num>
set secret <server_password>
set server <domain_ipv4_ipv6>
set service-type {administrative | authenticate-only | call-check | callback-administrative | callback-framed | callback-login | callback-nas-prompt | framed | login | nas-prompt | outbound}
set source-ip <ipv4_addr>
set source-ip6 <ipv6_addr>
config acct-server
edit <accounting_server_ID>
set status {enable | disable}
set server <accounting_server>
set secret <accounting_server_secret>
set port <accounting_server_port>
next
end
end
Variable |
Description |
Default |
<server_name> |
Enter a name of the RADIUS user group. Enter a new name to create a new group definition or enter an existing group name to edit that group definition. |
No default |
acct-fast-framedip-detect <integer> |
Enter the number of seconds allowed for the first-time detection of the Framed-IP-Address attribute from DHCP snooping. The range is 2-600 seconds. |
2 |
acct-interim-interval <integer> |
Enter the number of seconds between each interim accounting message sent to the RADIUS server. The value range is 60-86400. |
600 |
addr-mode {ipv4 | ipv6) |
Select whether to connect to the RADIUS server with IPv4 or IPv6. NOTE: If you select |
ipv4 |
all-usergroup {enable | disable} |
Enable to automatically include this RADIUS server in all user groups. |
disable |
auth-type {auto | chap | ms_chap | ms_chap_v2 | pap} |
Select the authentication method for this RADIUS server. auto uses pap, ms_chap_v2, and chap. |
auto |
frame-mtu-size <integer> |
Enter the maximum frame size in octets used to advertise to the authentication server. The range is 600-1500. |
1500 |
link-monitor {enable | disable} |
Enable or disable whether this server sends periodic ping messages to the RADIUS server to test if it is available. |
disable |
link-monitor-interval <5-120> |
Enter how often (in seconds) the server checks if the RADIUS server is available. |
15 |
nas-ip <use_ip> |
IPv4 address used as NAS-IP-Address and Called‑Station-ID attribute in RADIUS access requests. RADIUS setting or IPv4 address of FortiGate interface used to talk with RADIUS server, if not configured. This option is available when the addr-mode is set to ipv4. |
No default |
nas-ip6 <ipv6_addr> |
IPv6 address used as NAS-IPv6-Address and Called‑Station-ID attribute in RADIUS access requests. RADIUS setting or IPv6 address of FortiGate interface used to talk with RADIUS server, if not configured. This option is available when the addr-mode is set to ipv6. |
No default |
radius-coa {enable | disable} |
Enable or disable whether this server will use RADIUS change of authorization (CoA). |
disable |
radius-port <radius_port_num> |
Change the default RADIUS port for this server. Range is 0-65535 |
1812 |
secret <server_password> |
Enter the RADIUS server shared secret. The server secret key should be a maximum of 16 characters in length. |
No default |
server <domain_ipv4_ipv6> |
Enter the RADIUS server domain name, IPv4 address, or IPv6 address. NOTE: If you selected |
No default |
source-ip <ipv4_addr> |
Enter the source IPv4 address for communicating to the RADIUS server. This option is available when the addr-mode is set to ipv4. |
0.0.0.0 |
source-ip6 <ipv6_addr> |
Enter the source IPv6 address for communicating to the RADIUS server. This option is available when the addr-mode is set to ipv6. |
No default |
config acct-server |
||
<accounting_server_ID> |
Enter the identifier for the accounting server. The value range is 0-4294967295. |
No default |
status {enable | disable} |
Enable or disable RADIUS accounting. |
disable |
secret <accounting_server_secret> |
Enter the shared secret key for the RADIUS accounting server. |
* |
server <accounting_server> |
Enter the RADIUS server domain name, IPv4 address, or IPv6 address of the RADIUS server that will be receiving the accounting messages. |
No default |
service-type {administrative | authenticate-only | call-check | callback-administrative | callback-framed | callback-login | callback-nas-prompt | framed | login | nas-prompt | outbound} |
Select the Service-Type value. Separate multiple values with a space. |
none |
port <accounting_server_port> |
Enter the port number for the RADIUS accounting server to receive accounting messages from the FortiSwitch unit. |
1813 |
Notes on context timeout
The number of seconds that a user context entry can remain in the user context list without the system receiving a communication session from the carrier end point. If a user context entry is not being looked up, then the user must no longer be connected to the network.
This timeout is only required if the system doesn’t receive the RADIUS Stop record. However, even if the accounting system does send RADIUS Stop records this timeout should be set in case the FortiSwitch misses a Stop record.
The default user context entry timeout is 28800 seconds (8 hours). You can keep this timeout relatively high because its not usually a problem to have a long list, but entries that are no longer used should be removed regularly.
You might want to reduce this timeout if the accounting server does not send RADIUS Stop records. Also if customer IP addresses change often you might want to set this timeout lower so that out of date entries are removed from the list.
If this timeout is too low the FortiSwitch could remove user context entries for users who are still connected.
Dynamic Flag values
none
— Disable writing event log messages for dynamic profile events.accounting-event
— Enable to write an event log message when the system does not find the expected information in a RADIUS Record. For example, if a RADIUS record contains more than the expected number of addresses.accounting-stop-missed
— Enable to write an event log message whenever a user context entry timeout expires indicating that the system removed an entry from the user context list without receiving a RADIUS Stop message.context-missing
— Enable to write an event log message whenever a user context creation timeout expires indicating that the system was not able to match a communication session because a matching entry was not found in the user context list.profile-missing
— Enable to write an event log message whenever the system cannot find a profile group name in a RADIUS start message that matches the name of a profile group added to the system.protocol-error
— Enable to write an event log message if RADIUS protocol errors occur. For example, if a RADIUS record contains a RADIUS secret that does not match the one added to the dynamic profile.radiusd-other
— Enable to write event log messages for other events. The event is described in the log message. For example, write a log message if the memory limit for the user context list is reached and the oldest entries in the table have been dropped.
Example
This example shows how to connect to a RADIUS server using IPv4:
config user radius
edit "local-RADIUS"
set addr-mode ipv4
set server 10.0.23.5
set secret djfhde;rkjfkrekdfjeke
set auth-type ms_chap_v2
set acct-interim-interval 1200
config acct-server
edit 1
set status enable
set server 10.0.23.5
set secret djfhde;rkjfkrekdfjeke
set port 1813
next
end
next
end
This example shows how to connect to a RADIUS server using IPv6:
config user radius
edit "radius"
set acct-interim-interval 60
config acct-server
edit 1
set status enable
set server "ipv6local"
set secret djfhde;rkjfkrekdfjeke
next
end
set radius-coa enable
set secret djfhde;rkjfkrekdfjeke
set server "ipv6local"
set service-type login callback-nas-prompt
set addr-mode ipv6
set nas-ip6 4001:1:2::1
set source-ip6 4001:1:2::1
next
end
config user setting
Use this command to change user authorization settings.
Syntax
config user setting
set auth-blackout-time <blackout_time_int>
set auth-cert <cert_name>
set auth-http-basic {disable | enable}
set auth-invalid-max <int>
set auth-multi-group {enable | disable}
set auth-secure-http {enable | disable}
set auth-type {ftp | http | https | telnet}
set auth-timeout <auth_timeout_minutes>
set auth-timeout-type {idle‑timeout | hard‑timeout | new‑session}
config auth-ports
edit <auth-table-entry-id>
set port <port_int>
set type {ftp | http | https | telnet}
end
end
Variable |
Description |
Default |
auth-blackout-time <blackout_time_int> |
When a firewall authentication attempt fails 5 times within one minute the IP address that is the source of the authentication attempts is denied access for the |
0 |
auth-cert <cert_name> |
HTTPS server certificate for policy authentication. Fortinet_Factory, Fortinet_Firmware (if applicable to your FortiSwitch), and self-sign are built-in certificates but others will be listed as you add them. |
self-sign |
auth-http-basic {disable | enable} |
Enable or disable support for HTTP basic authentication for identity-based firewall policies. HTTP basic authentication usually causes a browser to display a pop-up authentication window instead of displaying an authentication web page. Some basic web browsers, for example, web browsers on mobile devices, may only support HTTP basic authentication. |
disable |
auth-invalid-max <int> |
Enter the maximum number of failed authentication attempts to allow before the client is blocked. Range: 1-100. |
5 |
auth-multi-group {enable | disable} |
This option can be disabled if the Active Directory structure is setup such that users belong to only 1 group for purpose of firewall authentication. |
enable |
auth-secure-http {enable | disable} |
Enable to have http user authentication redirected to secure channel - https. |
disable |
auth-type {ftp | http | https | telnet} |
Set the user authentication protocol support for firewall policy authentication. User controls which protocols should support the authentication challenge. |
No Default |
auth-timeout <auth_timeout_minutes> |
Set the number of minutes before the firewall user authentication timeout requires the user to authenticate again. The maximum authtimeout interval is 480 minutes (8 hours). To improve security, keep the authentication timeout at the default value of 5 minutes. |
5 |
auth-timeout-type {idle‑timeout | hard‑timeout | new‑session} |
Set the type of authentication timeout.
|
idle‑timeout |
config auth-ports |
||
<auth-table-entry-id> |
Create an entry in the authentication port table if you are using non-standard ports. |
No Default |
port <port_int> |
Specify the authentication port. Range 1 to 65535. |
1024 |
type {ftp | http | https | telnet} |
Specify the protocol to which |
http |
config user tacacs+
Use this command to add or edit the information used for TACACS+ authentication.
Syntax
config user tacacs+
edit <user name>
set authen-type {ascii | auto | chap | mschap | pap}
set authorization {enable | disable}
set key <passwd>
set port <port number>
set server <domain>
set source-ip <ipv4_addr>
end
Variable |
Description |
Default |
<user name> |
Enter the name of the user. |
No default |
authen-type{ascii | auto | chap | mschap | pap} |
Set the authentication type. Auto will use PAP, MSCHAP, and CHAP (in that order). |
auto |
authorization {disable | enable} |
Enable TACACS+ authorization (service=fortigate) |
disable |
key <passwd> |
Password value for the server. |
* |
port <port_int> |
Specify the authentication port. Range 1 to 65535. |
49 |
server <domain> |
Specify the domain name of the server |
No default |
source-ip <ipv4_addr> |
Set the source IP address. |
0.0.0.0 |
Example
This example shows how to configure a TACACS user account for login authentication:
config user tacacs+
edit tacserver
set authen-type ascii
set authorization enable
set key temporary
set server tacacs_server
end