Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiWeb 7.2.3 CLI Reference
    7.2.3
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.23
    6.3.19
    6.3.18
    6.3.17
    6.3.16
    6.3.15
    6.3.14
    6.3.13
    6.3.11
    6.3.10
    6.3.9
    6.3.7
    6.3.6
    6.3.5
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    5.7.0
    5.6.1
    5.6.0

    user user-group

    user user-group

    Use this command to configure user groups.

    User groups are used by the HTTP authentication feature to authorize HTTP requests. A group can include a mixture of local user accounts, LDAP, RADIUS, and NTLM user queries.

    Before you can configure a user group, you must first configure any local user accounts or user queries that you want to include. For details, see user local-user, user ldap-user, server-policy custom-application application-policy, or user ntlm-user.

    To apply user groups, select them in within an authentication rule, which is in turn selected within an authentication policy, which is ultimately selected within an inline protection profile used for web protection. For details, see waf HTTP-authen HTTP-authen-rule.

    To use this command, your administrator account’s access control profile must have either w or rw permission to the authusergrp area. For details, see Permissions.

    Syntax

    config user user-group

    edit "<user-group_name>"

    set auth-type {basic | digest | NTLM}

    config members

    edit <entry_index>

    set type {ldap | local | ntlm | radius}

    set ldap-name "<query_name>"

    set local-name "<query_name>"

    set ntlm-name "<query_name>"

    set radius-name "<query_name>"

    next

    end

    next

    end

    Variable Description Default

    "<user-group_name>"

    Enter the name of the user group. The maximum length is 63 characters.

    To display the list of existing groups, enter:

    edit ?

    		No default.

    auth-type {basic | digest | NTLM}

    Select one of the following authentication types:

    • basic—This is the original and most compatible authentication scheme for HTTP. However, it is also the least secure as it sends the user name and password unencrypted to the server.
    • digest—Authentication encrypts the password and thus is more secure than the basic authentication.
    • NTLM—Authentication uses a proprietary protocol of Microsoft and is considered to be more secure than basic authentication.
    		basic

    <entry_index>

    		 Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. No default.

    ldap-name "<query_name>"

    Select the name of a LDAP user query.

    Available if the value of type {ldap | local | ntlm | radius} is ldap.

    The maximum length is 63 characters.

    		 No default.

    local-name "<query_name>"

    Select the name of a local user account.

    Available if the value of type {ldap | local | ntlm | radius} is local.

    The maximum length is 63 characters.

    		 No default.

    ntlm-name "<query_name>"

    Select the name of a NTLM user query.

    Available if the value of type {ldap | local | ntlm | radius} is ntlm.

    The maximum length is 63 characters.

    		 No default.

    radius-name "<query_name>"

    Select the name of a RADIUS user query.

    Available if the value of type {ldap | local | ntlm | radius} is radius.

    The maximum length is 63 characters.

    		 No default.

    type {ldap | local | ntlm | radius}

    Select which type of user or user query that you want to add to the group.

    Note: You can mix all user types in the group. However, if the authentication rule’s auth-type {basic | digest | NTLM} does not support a given user type, all user accounts of that type will be ignored, effectively disabling them.

    		 local

    Example

    For an example, see waf HTTP-authen HTTP-authen-policy.

    Related topics

    Previous
    Next

    user user-group

    user user-group

    Use this command to configure user groups.

    User groups are used by the HTTP authentication feature to authorize HTTP requests. A group can include a mixture of local user accounts, LDAP, RADIUS, and NTLM user queries.

    Before you can configure a user group, you must first configure any local user accounts or user queries that you want to include. For details, see user local-user, user ldap-user, server-policy custom-application application-policy, or user ntlm-user.

    To apply user groups, select them in within an authentication rule, which is in turn selected within an authentication policy, which is ultimately selected within an inline protection profile used for web protection. For details, see waf HTTP-authen HTTP-authen-rule.

    To use this command, your administrator account’s access control profile must have either w or rw permission to the authusergrp area. For details, see Permissions.

    Syntax

    config user user-group

    edit "<user-group_name>"

    set auth-type {basic | digest | NTLM}

    config members

    edit <entry_index>

    set type {ldap | local | ntlm | radius}

    set ldap-name "<query_name>"

    set local-name "<query_name>"

    set ntlm-name "<query_name>"

    set radius-name "<query_name>"

    next

    end

    next

    end

    Variable Description Default

    "<user-group_name>"

    Enter the name of the user group. The maximum length is 63 characters.

    To display the list of existing groups, enter:

    edit ?

    		No default.

    auth-type {basic | digest | NTLM}

    Select one of the following authentication types:

    • basic—This is the original and most compatible authentication scheme for HTTP. However, it is also the least secure as it sends the user name and password unencrypted to the server.
    • digest—Authentication encrypts the password and thus is more secure than the basic authentication.
    • NTLM—Authentication uses a proprietary protocol of Microsoft and is considered to be more secure than basic authentication.
    		basic

    <entry_index>

    		 Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. No default.

    ldap-name "<query_name>"

    Select the name of a LDAP user query.

    Available if the value of type {ldap | local | ntlm | radius} is ldap.

    The maximum length is 63 characters.

    		 No default.

    local-name "<query_name>"

    Select the name of a local user account.

    Available if the value of type {ldap | local | ntlm | radius} is local.

    The maximum length is 63 characters.

    		 No default.

    ntlm-name "<query_name>"

    Select the name of a NTLM user query.

    Available if the value of type {ldap | local | ntlm | radius} is ntlm.

    The maximum length is 63 characters.

    		 No default.

    radius-name "<query_name>"

    Select the name of a RADIUS user query.

    Available if the value of type {ldap | local | ntlm | radius} is radius.

    The maximum length is 63 characters.

    		 No default.

    type {ldap | local | ntlm | radius}

    Select which type of user or user query that you want to add to the group.

    Note: You can mix all user types in the group. However, if the authentication rule’s auth-type {basic | digest | NTLM} does not support a given user type, all user accounts of that type will be ignored, effectively disabling them.

    		 local

    Example

    For an example, see waf HTTP-authen HTTP-authen-policy.

    Related topics

    Previous
    Next