Fortinet black logo

Handbook

Configuring user groups

Configuring user groups

User groups are authorized by the virtual server authentication policy. The user group configuration references the authentication servers that contain valid user credentials.

Suggested steps:
  1. Configure LDAP, RADIUS, NTLM, and TACACS+ servers, if applicable.
  2. Configure local users.
  3. Configure user groups (reference servers and local users).
  4. Configure an authentication policy (reference the user group).
  5. Configure the virtual server (reference the authentication policy).
Before you begin:
  • You must have created configuration objects for any LDAP, RADIUS, NTLM, and/or TACACS+ servers you want to use, and you must have created user accounts for local users.
  • You must have read-write permission for System and User settings.

After you have created user groups, you can specify them in the server load balancing authentication policy configuration.

To configure a user group:
  1. Go to User Authentication > User Group.
  2. Click Create New to display the configuration editor.
  3. Configure the following User Group settings:
    SettingsGuidelines

    Name

    Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.

    After you initially save the configuration, you cannot edit the name.

    User Cache

    Enable to cache the credentials for the remote users (LDAP, RADIUS, TACACS+) once they are authorized.

    User Cache Timeout

    The User Cache Timeout option is available if User Cache is enabled.

    Timeout for cached user credentials. The default is 300 seconds. The valid range is 1-86,400 seconds.

    Authentication Timeout

    Timeout for query sent from FortiADC to a remote authentication server. The default is 2,000 milliseconds. The valid range is 1-60,000 milliseconds.

    Authentication Log

    Specify one of the following logging options for authentication events:

    • None — No logging.
    • Fail — Log failed attempts.
    • Success — Log successful attempts.
    • All — Log all (both failed and successful attempts).

    Client Authentication Method

    • HTML Form
    • HTTP
    • NTLM (only if you want to use NTLM server as a authentication server)

    Use Default Form

    The Use Default Form option is available if Client Authentication Method is HTML Form.

    Enabled by default to use the default authentication form. Disable to use a customized authentication form.

    Customized Authentication Form

    The Customized Authentication Form option is available if Client Authentication Method is HTML Form and Use Default Form is disabled.

    Select a Customized Authentication Form object or create new.

    Group Type

    • Normal — Default. No action is needed.
    • SSO — Select to enable Single Sign-On (SSO).

    Authentication Relay

    The Authentication Relay option is available if Group Type is SSO.

    Select an authentication relay profile.

    Authentication Session Timeout

    Specify the authentication session timeout. Valid values range from 1 to 180 minutes. The default is 3 (minutes).

    SSO Cross Domain Support

    The SSO Cross Domain Support option is available if Group Type is SSO.

    Disabled by default. When enabled, you must specify the SSO domain.

    Note:
    Authentication policies cannot be applied to multiple virtual servers. Due to security reasons, such as protection against XSS attacks, there is no shared mechanism between virtual servers to decrypt cookies. As a result, you cannot log into a second virtual server while already logged into the first virtual server as the virtual servers are independent from each other.
    SSO Cross Domain Support allows you to have multiple domain names on the same virtual server (the virtual host), where you can specify a first-level domain name to enable the second-level domain names on the virtual server to decrypt cookies at the same time.

    SSO Domain

    The SSO Domain option is available if Group Type is SSO and SSO Cross Domain Support is enabled.

    Specify the SSO domain.

    Log Off URL

    The Log-off URL option is available if Group Type is SSO.

    Specify the log-off URL.

  4. Click Save.
    Once the User Group configuration is saved, the Member section becomes available for configuration.
  5. Under the Member section, click Create New to display the configuration editor.
  6. Configure the following Member settings and save the configuration:
    1. Select the Type: Local, LDAP, RADIUS, NTLM, or TACACS+.
    2. Select the corresponding configuration based on the selected Type.
  7. Click Save again to save the Member added to the User Group configuration.

Configuring user groups

User groups are authorized by the virtual server authentication policy. The user group configuration references the authentication servers that contain valid user credentials.

Suggested steps:
  1. Configure LDAP, RADIUS, NTLM, and TACACS+ servers, if applicable.
  2. Configure local users.
  3. Configure user groups (reference servers and local users).
  4. Configure an authentication policy (reference the user group).
  5. Configure the virtual server (reference the authentication policy).
Before you begin:
  • You must have created configuration objects for any LDAP, RADIUS, NTLM, and/or TACACS+ servers you want to use, and you must have created user accounts for local users.
  • You must have read-write permission for System and User settings.

After you have created user groups, you can specify them in the server load balancing authentication policy configuration.

To configure a user group:
  1. Go to User Authentication > User Group.
  2. Click Create New to display the configuration editor.
  3. Configure the following User Group settings:
    SettingsGuidelines

    Name

    Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.

    After you initially save the configuration, you cannot edit the name.

    User Cache

    Enable to cache the credentials for the remote users (LDAP, RADIUS, TACACS+) once they are authorized.

    User Cache Timeout

    The User Cache Timeout option is available if User Cache is enabled.

    Timeout for cached user credentials. The default is 300 seconds. The valid range is 1-86,400 seconds.

    Authentication Timeout

    Timeout for query sent from FortiADC to a remote authentication server. The default is 2,000 milliseconds. The valid range is 1-60,000 milliseconds.

    Authentication Log

    Specify one of the following logging options for authentication events:

    • None — No logging.
    • Fail — Log failed attempts.
    • Success — Log successful attempts.
    • All — Log all (both failed and successful attempts).

    Client Authentication Method

    • HTML Form
    • HTTP
    • NTLM (only if you want to use NTLM server as a authentication server)

    Use Default Form

    The Use Default Form option is available if Client Authentication Method is HTML Form.

    Enabled by default to use the default authentication form. Disable to use a customized authentication form.

    Customized Authentication Form

    The Customized Authentication Form option is available if Client Authentication Method is HTML Form and Use Default Form is disabled.

    Select a Customized Authentication Form object or create new.

    Group Type

    • Normal — Default. No action is needed.
    • SSO — Select to enable Single Sign-On (SSO).

    Authentication Relay

    The Authentication Relay option is available if Group Type is SSO.

    Select an authentication relay profile.

    Authentication Session Timeout

    Specify the authentication session timeout. Valid values range from 1 to 180 minutes. The default is 3 (minutes).

    SSO Cross Domain Support

    The SSO Cross Domain Support option is available if Group Type is SSO.

    Disabled by default. When enabled, you must specify the SSO domain.

    Note:
    Authentication policies cannot be applied to multiple virtual servers. Due to security reasons, such as protection against XSS attacks, there is no shared mechanism between virtual servers to decrypt cookies. As a result, you cannot log into a second virtual server while already logged into the first virtual server as the virtual servers are independent from each other.
    SSO Cross Domain Support allows you to have multiple domain names on the same virtual server (the virtual host), where you can specify a first-level domain name to enable the second-level domain names on the virtual server to decrypt cookies at the same time.

    SSO Domain

    The SSO Domain option is available if Group Type is SSO and SSO Cross Domain Support is enabled.

    Specify the SSO domain.

    Log Off URL

    The Log-off URL option is available if Group Type is SSO.

    Specify the log-off URL.

  4. Click Save.
    Once the User Group configuration is saved, the Member section becomes available for configuration.
  5. Under the Member section, click Create New to display the configuration editor.
  6. Configure the following Member settings and save the configuration:
    1. Select the Type: Local, LDAP, RADIUS, NTLM, or TACACS+.
    2. Select the corresponding configuration based on the selected Type.
  7. Click Save again to save the Member added to the User Group configuration.