Peer user
A peer user is a digital certificate holder that authenticates using a client certificate.
Using the GUI:
- Go to System > User > Peer.
- Click Add Peer.
- In the Name field, enter the name of the peer user.
- In the Subject field, enter any limitations on the peer certificate name.
- Select the type of common name for the peer certificate from the Common Type dropdown list. You can select Fully Qualified Domain Name, Email, IPv4, IPv6, or String.
- In the Common Name field, enter the common name for the peer certificate.
- Select which certificate authority (CA) certificate to use from the Certificate dropdown list.
- Select the Mandatory Verify checkbox for mandatory CA verification.
- Select the Two-Factor checkbox for two-factor authentication. When two-factor authentication is selected, the certificate and password are required.
- If you selected the Two-Factor checkbox, enter a password to use in the Password field.
- If you want to use an LDAP server to check access permission:
- Select the server name from the Server dropdown list. If no server name is available, go to System > Authentication > LDAP to add an LDAP server.
- Select the authentication mode from the Mode dropdown list, either Username and Password or Principal Name.
- If you selected Username and Password, enter the user name in the Username field and enter the password in the Password field.
- Click Add.
Using the CLI:
config user peer
edit <peer_name>
set ca {Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA | Fortinet_CA | Fortinet_CA2}
set cn <string>
set cn-type {FQDN | email | ipv4 | ipv6 | string}
set ldap-mode {password | principal-name}
set ldap-password <password>
set ldap-server <string>
set ldap-username <string>
set mandatory-ca-verify {enable | disable}
set passwd <password>
set subject <string>
set two-factor {enable |disable}
next
end
The following table describes the parameters:
Variable |
Description |
Default |
<peer_name> |
Enter the name of the peer user. |
No default |
ca {Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA | Fortinet_CA | Fortinet_CA2} |
Select a certificate authority (CA) for the peer certificate. |
No default |
cn <string> |
Enter the common name for the peer certificate. |
No default |
cn-type {FQDN | email | ipv4 | ipv6 | string} |
Enter the type of common name for the peer certificate: fully qualified domain name, email address, IPv4 address, IPv6 address, or a text description. |
string |
ldap-mode {password | principal-name} |
Select whether the peer LDAP requires a password or an email address. The password is specified with the |
password |
ldap-password <password> |
Enter the password for the peer LDAP. This option is available only when the |
No default |
ldap-server <string> |
Enter the name of the LDAP server used for checking access permission. |
No default |
ldap-username <string> |
Enter the user name for the LDAP server. |
No default |
mandatory-ca-verify {enable | disable} |
Enable or disable whether there is mandatory CA verification. |
disable |
passwd <password> |
Enter the user password for two-factor authentication. This option is available only when |
No default |
subject <string> |
Enter any limitations on the peer certificate name. |
No default |
two-factor {enable |disable} |
Enable or disable two-factor authentication. When this option is enabled, the certificate and password are required. Specify the password in the |
disable |