user admin-usergrp
Use this command to configure LDAP/RADIUS/PKI/TACACS+ remote authentication groups that can be used when configuring a FortiWeb administrator account.
Before you can add a remote authentication group, you must first define at least one query for LDAP, RADIUS, or TACACS+ accounts (see user ldap-user or server-policy custom-application application-policy), a PKI user (see user pki-user), or a TACACS+ user (see user tacacs+ user).
For information about certificate-based Web UI login, see the FortiWeb Administration Guide:
https://docs.fortinet.com/fortiweb/admin-guides
To use this command, your administrator account’s access control profile must have either w
or rw
permission to the authusergrp
area. For details, see Permissions.
Syntax
config user admin-usergrp
edit "<group_name>"
config members
edit <entry_index>
set type {ldap | radius | pki | tacacs+}
set radius-name "<query_name>"
set tacacs+-name "<tacacs+_name>"
next
end
next
end
Variable | Description | Default |
Enter the name of the remote authentication group. The maximum length is 63 characters. | No default. | |
Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. | No default. | |
Select the protocol used for the query, LDAP, RADIUS, PKI or TACACS+. | ldap
|
|
Enter the name of an existing LDAP account query. The maximum length is 63 characters. To display the list of existing queries, enter:
|
No default. | |
Enter the name of an existing RADIUS account query. The maximum length is 63 characters. To display the list of existing queries, enter:
|
No default. | |
Enter the name of an existing PKI user. The maximum length is 63 characters. To display the list of existing queries, enter:
|
No default. | |
Enter the name of an existing TACACS+. The maximum length is 63 characters. To display the list of existing queries, enter:
|
No default. |
Example
This example creates a remote authentication group using an existing LDAP user query named LDAP Users 1
. Because remote authentication groups use LDAP queries by default, the LDAP query type is not explicitly configured.
config user admin-usergrp
edit "Admin LDAP"
config members
edit 0
set ldap-name "LDAP Users 1"
next
end
next
end