config user user-group
Use this command to configure user groups. User groups are authorized by the virtual server authorization policy. The user group configuration references the authentication servers that contain valid user credentials.
Suggested steps:
- Configure LDAP and RADIUS servers, if applicable.
- Configure local users.
- Configure user groups (reference servers and local users).
- Configure an authorization policy (reference the user group).
- Configure the virtual server (reference the authorization policy).
Before you begin:
- You must have created configuration objects for any LDAP and RADIUS server you want to use, and you must have created user accounts for local users.
- You must have read-write permission for system settings.
After you have created user groups, you can specify them in the load-balance auth-policy
configuration.
Syntax
config user user-group
edit <name>
set auth-log {none|fail|success|all}
set auth-timeout <integer>
set user-cache {enable|disable}
set user-cache-timeout <integer>
set client-auth-method http_auth|html_form_auth
set group-type normal|SSO
config member
edit <No.>
set type {local|ldap|radius}
set local-user {<name> <name> ...}
set ldap-server <datasource>
set radius-server <datasource>
next
end
next
end
auth-log |
Specify one of the following logging options for authentication events:
|
auth-timeout |
Timeout for query sent from FortiADC to a remote authentication server. |
user-cache |
Enable to cache the credentials for the remote users (LDAP, RADIUS) once they are authorized. |
user-cache-timeout |
Timeout for cached user credentials. |
client-auth-method
|
Specify http_auth or html_form_auth. |
group-type
|
Specify normal or SSO. |
config member |
|
type |
Authentication server type. |
local-user |
To add local users, specify the local usernames. |
ldap-server |
To add LDAP users, specify the LDAP server configuration name. |
radius-server |
To add RADIUS users, specify the server configuration name. |
Example
config user user-group
edit "normal-group"
config member
edit 1
set local-user local-user-1
next
edit 2
set type ldap
set ldap-server ldap-server
next
edit 3
set type radius
set radius-server radius-server
next
end
next
edit "SSO-Kerbros-Group"
set group-type SSO
set authentication-relay auth-relay-1
set logoff-path logoff.html
set sso-support enable
set sso-domain kfor.com
config member
edit 1
set local-user local-user-1
next
edit 2
set type ldap
set ldap-server ldap-server
next
edit 3
set type radius
set radius-server radius-server
next
end
next
edit "SSO-HTTPBasic-Group"
set group-type SSO
set authentication-relay auth-relay-2
set logoff-path logoff
set sso-support enable
set sso-domain sss.com
config member
end
next
end