Fortinet black logo

CLI Reference

config user user-group

config user user-group

Use this command to configure user groups. User groups are authorized by the virtual server authorization policy. The user group configuration references the authentication servers that contain valid user credentials.

Suggested steps:

  1. Configure LDAP and RADIUS servers, if applicable.
  2. Configure local users.
  3. Configure user groups (reference servers and local users).
  4. Configure an authorization policy (reference the user group).
  5. Configure the virtual server (reference the authorization policy).

Before you begin:

  • You must have created configuration objects for any LDAP and RADIUS server you want to use, and you must have created user accounts for local users.
  • You must have read-write permission for system settings.

After you have created user groups, you can specify them in the load-balance auth-policy configuration.

Syntax

config user user-group

edit <name>

set auth-log {none|fail|success|all}

set auth-timeout <integer>

set user-cache {enable|disable}

set user-cache-timeout <integer>

set client-auth-method http_auth|html_form_auth

set group-type normal|SSO

config member

edit <No.>

set type {local|ldap|radius}

set local-user {<name> <name> ...}

set ldap-server <datasource>

set radius-server <datasource>

next

end

next

end

auth-log

Specify one of the following logging options for authentication events:

  • No logging
  • Log failed attempts
  • Log successful attempts
  • Log all (both failed and successful attempts)

auth-timeout

Timeout for query sent from FortiADC to a remote authentication server.

user-cache

Enable to cache the credentials for the remote users (LDAP, RADIUS) once they are authorized.

user-cache-timeout

Timeout for cached user credentials.

client-auth-method Specify http_auth or html_form_auth.
group-type Specify normal or SSO.

config member

type

Authentication server type.

local-user

To add local users, specify the local usernames.

ldap-server

To add LDAP users, specify the LDAP server configuration name.

radius-server

To add RADIUS users, specify the server configuration name.

Example

config user user-group

edit "normal-group"

config member

edit 1

set local-user local-user-1

next

edit 2

set type ldap

set ldap-server ldap-server

next

edit 3

set type radius

set radius-server radius-server

next

end

next

edit "SSO-Kerbros-Group"

set group-type SSO

set authentication-relay auth-relay-1

set logoff-path logoff.html

set sso-support enable

set sso-domain kfor.com

config member

edit 1

set local-user local-user-1

next

edit 2

set type ldap

set ldap-server ldap-server

next

edit 3

set type radius

set radius-server radius-server

next

end

next

edit "SSO-HTTPBasic-Group"

set group-type SSO

set authentication-relay auth-relay-2

set logoff-path logoff

set sso-support enable

set sso-domain sss.com

config member

end

next

end

config user user-group

config user user-group

Use this command to configure user groups. User groups are authorized by the virtual server authorization policy. The user group configuration references the authentication servers that contain valid user credentials.

Suggested steps:

  1. Configure LDAP and RADIUS servers, if applicable.
  2. Configure local users.
  3. Configure user groups (reference servers and local users).
  4. Configure an authorization policy (reference the user group).
  5. Configure the virtual server (reference the authorization policy).

Before you begin:

  • You must have created configuration objects for any LDAP and RADIUS server you want to use, and you must have created user accounts for local users.
  • You must have read-write permission for system settings.

After you have created user groups, you can specify them in the load-balance auth-policy configuration.

Syntax

config user user-group

edit <name>

set auth-log {none|fail|success|all}

set auth-timeout <integer>

set user-cache {enable|disable}

set user-cache-timeout <integer>

set client-auth-method http_auth|html_form_auth

set group-type normal|SSO

config member

edit <No.>

set type {local|ldap|radius}

set local-user {<name> <name> ...}

set ldap-server <datasource>

set radius-server <datasource>

next

end

next

end

auth-log

Specify one of the following logging options for authentication events:

  • No logging
  • Log failed attempts
  • Log successful attempts
  • Log all (both failed and successful attempts)

auth-timeout

Timeout for query sent from FortiADC to a remote authentication server.

user-cache

Enable to cache the credentials for the remote users (LDAP, RADIUS) once they are authorized.

user-cache-timeout

Timeout for cached user credentials.

client-auth-method Specify http_auth or html_form_auth.
group-type Specify normal or SSO.

config member

type

Authentication server type.

local-user

To add local users, specify the local usernames.

ldap-server

To add LDAP users, specify the LDAP server configuration name.

radius-server

To add RADIUS users, specify the server configuration name.

Example

config user user-group

edit "normal-group"

config member

edit 1

set local-user local-user-1

next

edit 2

set type ldap

set ldap-server ldap-server

next

edit 3

set type radius

set radius-server radius-server

next

end

next

edit "SSO-Kerbros-Group"

set group-type SSO

set authentication-relay auth-relay-1

set logoff-path logoff.html

set sso-support enable

set sso-domain kfor.com

config member

edit 1

set local-user local-user-1

next

edit 2

set type ldap

set ldap-server ldap-server

next

edit 3

set type radius

set radius-server radius-server

next

end

next

edit "SSO-HTTPBasic-Group"

set group-type SSO

set authentication-relay auth-relay-2

set logoff-path logoff

set sso-support enable

set sso-domain sss.com

config member

end

next

end