Fortinet black logo

CLI Reference

config user user-group

config user user-group

Use this command to configure user groups. User groups are authorized by the virtual server authorization policy. The user group configuration references the authentication servers that contain valid user credentials.

Suggested steps:

  1. Configure LDAP and RADIUS servers, if applicable.
  2. Configure local users.
  3. Configure user groups (reference servers and local users).
  4. Configure an authorization policy (reference the user group).
  5. Configure the virtual server (reference the authorization policy).

Before you begin:

  • You must have created configuration objects for any LDAP and RADIUS server you want to use, and you must have created user accounts for local users.
  • You must have read-write permission for system settings.

After you have created user groups, you can specify them in the load-balance auth-policy configuration.

Syntax

config user user-group

edit <name>

set auth-log {none|fail|success|all}

set auth-timeout <integer>

set user-cache {enable|disable}

set user-cache-timeout <integer>

set client-auth-method http_auth|html_form_auth

set auth_form_profile <default/profile_name>

set group-type normal|SSO

config member

edit <No.>

set type {local|ldap|radius}

set local-user {<name> <name> ...}

set ldap-server <datasource>

set radius-server <datasource>

next

end

config user cust_auth_form

edit <name>

set auth_form-file <file>

set username_field <username field name>

set password_field <password field name>

set virtual_path <virtual path>

next

end

next

end

auth-log

Specify one of the following logging options for authentication events:

  • No logging
  • Log failed attempts
  • Log successful attempts
  • Log all (both failed and successful attempts)

auth-timeout

Timeout for query sent from FortiADC to a remote authentication server.

user-cache

Enable to cache the credentials for the remote users (LDAP, RADIUS) once they are authorized.

user-cache-timeout

Timeout for cached user credentials.

client-auth-method

Specify http_auth or html_form_auth.

auth_form_profile

Set profile of authentication form. You can use the default or the profile name in cust_auth_form

group-type

Specify normal or SSO.

config member

type

Authentication server type.

local-user

To add local users, specify the local usernames.

ldap-server

To add LDAP users, specify the LDAP server configuration name.

radius-server

To add RADIUS users, specify the server configuration name.

config user cust_auth_form

auth_form-file

Profile name of authentication form

username_field

Username field name in customized form

password_field

The password field name in customized form

virtual_path

The virtual path to redirect

Example

config user user-group

edit "normal-group"

set client_auth_method html_form_auth

set auth_form_profile <default/profile_name>

config member

edit 1

set local-user local-user-1

next

edit 2

set type ldap

set ldap-server ldap-server

next

edit 3

set type radius

set radius-server radius-server

next

end

next

config user cust_auth_form

edit "test"

set auth_form-file local-user-1_tst.zip

set username_field user-1

set password_field pw-1

set virtual_path <virtual_path>

next

end

edit "SSO-Kerbros-Group"

set group-type SSO

set authentication-relay auth-relay-1

set logoff-path logoff.html

set sso-support enable

set sso-domain kfor.com

config member

edit 1

set local-user local-user-1

next

edit 2

set type ldap

set ldap-server ldap-server

next

edit 3

set type radius

set radius-server radius-server

next

end

next

edit "SSO-HTTPBasic-Group"

set group-type SSO

set authentication-relay auth-relay-2

set logoff-path logoff

set sso-support enable

set sso-domain sss.com

config member

end

next

end

config user user-group

Use this command to configure user groups. User groups are authorized by the virtual server authorization policy. The user group configuration references the authentication servers that contain valid user credentials.

Suggested steps:

  1. Configure LDAP and RADIUS servers, if applicable.
  2. Configure local users.
  3. Configure user groups (reference servers and local users).
  4. Configure an authorization policy (reference the user group).
  5. Configure the virtual server (reference the authorization policy).

Before you begin:

  • You must have created configuration objects for any LDAP and RADIUS server you want to use, and you must have created user accounts for local users.
  • You must have read-write permission for system settings.

After you have created user groups, you can specify them in the load-balance auth-policy configuration.

Syntax

config user user-group

edit <name>

set auth-log {none|fail|success|all}

set auth-timeout <integer>

set user-cache {enable|disable}

set user-cache-timeout <integer>

set client-auth-method http_auth|html_form_auth

set auth_form_profile <default/profile_name>

set group-type normal|SSO

config member

edit <No.>

set type {local|ldap|radius}

set local-user {<name> <name> ...}

set ldap-server <datasource>

set radius-server <datasource>

next

end

config user cust_auth_form

edit <name>

set auth_form-file <file>

set username_field <username field name>

set password_field <password field name>

set virtual_path <virtual path>

next

end

next

end

auth-log

Specify one of the following logging options for authentication events:

  • No logging
  • Log failed attempts
  • Log successful attempts
  • Log all (both failed and successful attempts)

auth-timeout

Timeout for query sent from FortiADC to a remote authentication server.

user-cache

Enable to cache the credentials for the remote users (LDAP, RADIUS) once they are authorized.

user-cache-timeout

Timeout for cached user credentials.

client-auth-method

Specify http_auth or html_form_auth.

auth_form_profile

Set profile of authentication form. You can use the default or the profile name in cust_auth_form

group-type

Specify normal or SSO.

config member

type

Authentication server type.

local-user

To add local users, specify the local usernames.

ldap-server

To add LDAP users, specify the LDAP server configuration name.

radius-server

To add RADIUS users, specify the server configuration name.

config user cust_auth_form

auth_form-file

Profile name of authentication form

username_field

Username field name in customized form

password_field

The password field name in customized form

virtual_path

The virtual path to redirect

Example

config user user-group

edit "normal-group"

set client_auth_method html_form_auth

set auth_form_profile <default/profile_name>

config member

edit 1

set local-user local-user-1

next

edit 2

set type ldap

set ldap-server ldap-server

next

edit 3

set type radius

set radius-server radius-server

next

end

next

config user cust_auth_form

edit "test"

set auth_form-file local-user-1_tst.zip

set username_field user-1

set password_field pw-1

set virtual_path <virtual_path>

next

end

edit "SSO-Kerbros-Group"

set group-type SSO

set authentication-relay auth-relay-1

set logoff-path logoff.html

set sso-support enable

set sso-domain kfor.com

config member

edit 1

set local-user local-user-1

next

edit 2

set type ldap

set ldap-server ldap-server

next

edit 3

set type radius

set radius-server radius-server

next

end

next

edit "SSO-HTTPBasic-Group"

set group-type SSO

set authentication-relay auth-relay-2

set logoff-path logoff

set sso-support enable

set sso-domain sss.com

config member

end

next

end