Fortinet black logo

FortiSwitchOS Administration Guide

Home FortiSwitch 7.4.1 FortiSwitchOS Administration Guide
7.4.1
7.4.3
7.4.2
7.4.1
7.4.0

Peer user

Peer user

A peer user is a digital certificate holder that authenticates using a client certificate.

Using the GUI:
  1. Go to System > User > Peer.
  2. Click Add Peer.
  3. In the Name field, enter the name of the peer user.
  4. In the Subject field, enter any limitations on the peer certificate name.
  5. Select the type of common name for the peer certificate from the Common Type dropdown list. You can select Fully Qualified Domain Name, Email, IPv4, IPv6, or String.
  6. In the Common Name field, enter the common name for the peer certificate.
  7. Select which certificate authority (CA) certificate to use from the Certificate dropdown list.
  8. Select the Mandatory Verify checkbox for mandatory CA verification.
  9. Select the Two-Factor checkbox for two-factor authentication. When two-factor authentication is selected, the certificate and password are required.
  10. If you selected the Two-Factor checkbox, enter a password to use in the Password field.
  11. If you want to use an LDAP server to check access permission:
    1. Select the server name from the Server dropdown list. If no server name is available, go to System > Authentication > LDAP to add an LDAP server.
    2. Select the authentication mode from the Mode dropdown list, either Username and Password or Principal Name.
    3. If you selected Username and Password, enter the user name in the Username field and enter the password in the Password field.
  12. Click Add.
Using the CLI:

config user peer

edit <peer_name>

set ca {Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA | Fortinet_CA | Fortinet_CA2}

set cn <string>

set cn-type {FQDN | email | ipv4 | ipv6 | string}

set ldap-mode {password | principal-name}

set ldap-password <password>

set ldap-server <string>

set ldap-username <string>

set mandatory-ca-verify {enable | disable}

set passwd <password>

set subject <string>

set two-factor {enable |disable}

next

end

The following table describes the parameters:

Variable

Description

Default

<peer_name>

Enter the name of the peer user.

No default

ca {Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA | Fortinet_CA | Fortinet_CA2}

Select a certificate authority (CA) for the peer certificate.

No default

cn <string>

Enter the common name for the peer certificate.

No default

cn-type {FQDN | email | ipv4 | ipv6 | string}

Enter the type of common name for the peer certificate: fully qualified domain name, email address, IPv4 address, IPv6 address, or a text description.

string

ldap-mode {password | principal-name}

Select whether the peer LDAP requires a password or an email address. The password is specified with the set ldap-password command.

password

ldap-password <password>

Enter the password for the peer LDAP.

This option is available only when the ldap-mode is set to password.

No default

ldap-server <string>

Enter the name of the LDAP server used for checking access permission.

No default

ldap-username <string>

Enter the user name for the LDAP server.

No default

mandatory-ca-verify {enable | disable}

Enable or disable whether there is mandatory CA verification.

disable

passwd <password>

Enter the user password for two-factor authentication.

This option is available only when two-factor is enabled.

No default

subject <string>

Enter any limitations on the peer certificate name.

No default

two-factor {enable |disable}

Enable or disable two-factor authentication. When this option is enabled, the certificate and password are required. Specify the password in the set passwd command.

disable
Previous
Next

Peer user

A peer user is a digital certificate holder that authenticates using a client certificate.

Using the GUI:
  1. Go to System > User > Peer.
  2. Click Add Peer.
  3. In the Name field, enter the name of the peer user.
  4. In the Subject field, enter any limitations on the peer certificate name.
  5. Select the type of common name for the peer certificate from the Common Type dropdown list. You can select Fully Qualified Domain Name, Email, IPv4, IPv6, or String.
  6. In the Common Name field, enter the common name for the peer certificate.
  7. Select which certificate authority (CA) certificate to use from the Certificate dropdown list.
  8. Select the Mandatory Verify checkbox for mandatory CA verification.
  9. Select the Two-Factor checkbox for two-factor authentication. When two-factor authentication is selected, the certificate and password are required.
  10. If you selected the Two-Factor checkbox, enter a password to use in the Password field.
  11. If you want to use an LDAP server to check access permission:
    1. Select the server name from the Server dropdown list. If no server name is available, go to System > Authentication > LDAP to add an LDAP server.
    2. Select the authentication mode from the Mode dropdown list, either Username and Password or Principal Name.
    3. If you selected Username and Password, enter the user name in the Username field and enter the password in the Password field.
  12. Click Add.
Using the CLI:

config user peer

edit <peer_name>

set ca {Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA | Fortinet_CA | Fortinet_CA2}

set cn <string>

set cn-type {FQDN | email | ipv4 | ipv6 | string}

set ldap-mode {password | principal-name}

set ldap-password <password>

set ldap-server <string>

set ldap-username <string>

set mandatory-ca-verify {enable | disable}

set passwd <password>

set subject <string>

set two-factor {enable |disable}

next

end

The following table describes the parameters:

Variable

Description

Default

<peer_name>

Enter the name of the peer user.

No default

ca {Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA | Fortinet_CA | Fortinet_CA2}

Select a certificate authority (CA) for the peer certificate.

No default

cn <string>

Enter the common name for the peer certificate.

No default

cn-type {FQDN | email | ipv4 | ipv6 | string}

Enter the type of common name for the peer certificate: fully qualified domain name, email address, IPv4 address, IPv6 address, or a text description.

string

ldap-mode {password | principal-name}

Select whether the peer LDAP requires a password or an email address. The password is specified with the set ldap-password command.

password

ldap-password <password>

Enter the password for the peer LDAP.

This option is available only when the ldap-mode is set to password.

No default

ldap-server <string>

Enter the name of the LDAP server used for checking access permission.

No default

ldap-username <string>

Enter the user name for the LDAP server.

No default

mandatory-ca-verify {enable | disable}

Enable or disable whether there is mandatory CA verification.

disable

passwd <password>

Enter the user password for two-factor authentication.

This option is available only when two-factor is enabled.

No default

subject <string>

Enter any limitations on the peer certificate name.

No default

two-factor {enable |disable}

Enable or disable two-factor authentication. When this option is enabled, the certificate and password are required. Specify the password in the set passwd command.

disable
Previous
Next