Fortinet black logo

CLI Reference

user user-group

user user-group

Use this command to configure user groups.

User groups are used by the HTTP authentication feature to authorize HTTP requests. A group can include a mixture of local user accounts, LDAP, RADIUS, and NTLM user queries.

Before you can configure a user group, you must first configure any local user accounts or user queries that you want to include. For details, see user local-user, user ldap-user, server-policy custom-application application-policy, or user ntlm-user.

To apply user groups, select them in within an authentication rule, which is in turn selected within an authentication policy, which is ultimately selected within an inline protection profile used for web protection. For details, see waf HTTP-authen HTTP-authen-rule.

To use this command, your administrator account’s access control profile must have either w or rw permission to the authusergrp area. For details, see Permissions.

Syntax

config user user-group

edit "<user-group_name>"

set auth-type {basic | digest | NTLM}

config members

edit <entry_index>

set type {ldap | local | ntlm | radius}

set ldap-name "<query_name>"

set local-name "<query_name>"

set ntlm-name "<query_name>"

set radius-name "<query_name>"

next

end

next

end

Variable Description Default

"<user-group_name>"

Enter the name of the user group. The maximum length is 63 characters.

To display the list of existing groups, enter:

edit ?

No default.

auth-type {basic | digest | NTLM}

Select one of the following authentication types:

  • basic—This is the original and most compatible authentication scheme for HTTP. However, it is also the least secure as it sends the user name and password unencrypted to the server.
  • digest—Authentication encrypts the password and thus is more secure than the basic authentication.
  • NTLM—Authentication uses a proprietary protocol of Microsoft and is considered to be more secure than basic authentication.
basic

<entry_index>

Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. No default.

ldap-name "<query_name>"

Select the name of a LDAP user query.

Available if the value of type {ldap | local | ntlm | radius} is ldap.

The maximum length is 63 characters.

No default.

local-name "<query_name>"

Select the name of a local user account.

Available if the value of type {ldap | local | ntlm | radius} is local.

The maximum length is 63 characters.

No default.

ntlm-name "<query_name>"

Select the name of a NTLM user query.

Available if the value of type {ldap | local | ntlm | radius} is ntlm.

The maximum length is 63 characters.

No default.

radius-name "<query_name>"

Select the name of a RADIUS user query.

Available if the value of type {ldap | local | ntlm | radius} is radius.

The maximum length is 63 characters.

No default.

type {ldap | local | ntlm | radius}

Select which type of user or user query that you want to add to the group.

Note: You can mix all user types in the group. However, if the authentication rule’s auth-type {basic | digest | NTLM} does not support a given user type, all user accounts of that type will be ignored, effectively disabling them.

local

Example

For an example, see waf HTTP-authen HTTP-authen-policy.

Related topics

user user-group

Use this command to configure user groups.

User groups are used by the HTTP authentication feature to authorize HTTP requests. A group can include a mixture of local user accounts, LDAP, RADIUS, and NTLM user queries.

Before you can configure a user group, you must first configure any local user accounts or user queries that you want to include. For details, see user local-user, user ldap-user, server-policy custom-application application-policy, or user ntlm-user.

To apply user groups, select them in within an authentication rule, which is in turn selected within an authentication policy, which is ultimately selected within an inline protection profile used for web protection. For details, see waf HTTP-authen HTTP-authen-rule.

To use this command, your administrator account’s access control profile must have either w or rw permission to the authusergrp area. For details, see Permissions.

Syntax

config user user-group

edit "<user-group_name>"

set auth-type {basic | digest | NTLM}

config members

edit <entry_index>

set type {ldap | local | ntlm | radius}

set ldap-name "<query_name>"

set local-name "<query_name>"

set ntlm-name "<query_name>"

set radius-name "<query_name>"

next

end

next

end

Variable Description Default

"<user-group_name>"

Enter the name of the user group. The maximum length is 63 characters.

To display the list of existing groups, enter:

edit ?

No default.

auth-type {basic | digest | NTLM}

Select one of the following authentication types:

  • basic—This is the original and most compatible authentication scheme for HTTP. However, it is also the least secure as it sends the user name and password unencrypted to the server.
  • digest—Authentication encrypts the password and thus is more secure than the basic authentication.
  • NTLM—Authentication uses a proprietary protocol of Microsoft and is considered to be more secure than basic authentication.
basic

<entry_index>

Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. No default.

ldap-name "<query_name>"

Select the name of a LDAP user query.

Available if the value of type {ldap | local | ntlm | radius} is ldap.

The maximum length is 63 characters.

No default.

local-name "<query_name>"

Select the name of a local user account.

Available if the value of type {ldap | local | ntlm | radius} is local.

The maximum length is 63 characters.

No default.

ntlm-name "<query_name>"

Select the name of a NTLM user query.

Available if the value of type {ldap | local | ntlm | radius} is ntlm.

The maximum length is 63 characters.

No default.

radius-name "<query_name>"

Select the name of a RADIUS user query.

Available if the value of type {ldap | local | ntlm | radius} is radius.

The maximum length is 63 characters.

No default.

type {ldap | local | ntlm | radius}

Select which type of user or user query that you want to add to the group.

Note: You can mix all user types in the group. However, if the authentication rule’s auth-type {basic | digest | NTLM} does not support a given user type, all user accounts of that type will be ignored, effectively disabling them.

local

Example

For an example, see waf HTTP-authen HTTP-authen-policy.

Related topics