Fortinet black logo

config user

config user

The config user commands provide configuration of user accounts and user groups for firewall policy authentication, administrator authentication, and some types of VPN authentication:

config user group

Use this command to add or edit user groups.

Syntax

config user group

edit <group_name>

set group-type <grp_type>

set authtimeout <timeout>

set http-digest-realm <attribute>

set member <names>

config match

edit <match_id>

set group-name <gname_str>

set server-name <srvname_str>

end

end

Variable

Description

Default

<group_name>

Enter a new name to create a new group or enter an existing group name to edit that group.

No default

group-type <grp_type>

Enter the group type. <grp_type> determines the type of users and is one of the following:
  • firewall - FortiSwitch users defined in user local, user ldap or user radius
  • fsso-service - Directory Service users

firewall

authtimeout <timeout>

Set the authentication timeout for the user group, range 1 to 480 minutes. If set to 0, the global authentication timeout value is used.

0

http-digest-realm <attribute>

Enter the realm attribute for MD5-digest authentication

No default

member <names>

Enter the names of users, peers, LDAP servers, or RADIUS servers to add to the user group.

Separate the names with spaces.

To add or remove names from the group you must re-enter the whole list with the additions or deletions required.

No default

config match

<match_id>

Enter an ID for the entry.

No default

group-name <gname_str>

The name of the matching group on the remote authentication server. Specify the user group names on the authentication servers that are members of this FortiSwitch user group. If no matches are specified, all users on the server can authenticate.

No default

server-name <srvname_str>

The name of the remote authentication server.

No default

Example

This example shows how to create a user group:

config user group

edit "Radius_group"

set member "FortiAuthenticator"

end

end

config user ldap

Use this command to add or edit the definition of an LDAP server for user authentication.

To authenticate with the FortiSwitch unit, the user enters a user name and password. The system sends this user name and password to the LDAP server. If the LDAP server can authenticate the user, the user is successfully authenticated with the FortiSwitch unit. If the LDAP server cannot authenticate the user, the connection is refused by the FortiSwitch unit.

Syntax

config user ldap

edit <server_name>

set cnid <id>

set dn <dname>

set group-member-check {user-attr | group-object}

set member-attr <attr_name>

set port <number>

set server <domain>

set type <auth_type>

set username <ldap_username>

set password <ldap_passwd>

set password-expiry-warning {disable | enable}

set password-renewal {disable | enable}

set secure <auth_port>

end

Variable

Description

Default

<server_name>

Enter a name to identify the LDAP server.

Enter a new name to create a new server definition or enter an existing server name to edit that server definition.

No default

cnid <id>

Enter the common name identifier for the LDAP server. The common name identifier for most LDAP servers is cn. However some servers use other common name identifiers such as uid. Maximum 20 characters.

cn

dn <dname>

Enter the distinguished name used to look up entries on the LDAP server. It reflects the hierarchy of LDAP database object classes above the Common Name Identifier. The FortiSwitch passes this distinguished name unchanged to the server.

You must provide a dn value if type is simple.

Maximum 512 characters.

No default

group-member-check {user-attr | group-object}

Select the group membership checking method:

user attribute or group object.

user-attr

member-attr <attr_name>

An attribute of the group that is used to authenticate users.

No default

port <number>

Enter the port number for communication with the LDAP server.

389

server <domain>

Enter the LDAP server domain name or IP address.

No default

type <auth_type>

Enter the authentication type for LDAP searches. One of: anonymous, regular or simple

See the notes following the table for additional information.

simple

username <ldap_username>

This field is available only if type is regular. For regular authentication, you need a user name and password. See your server administrator for more information.

No default

password <ldap_passwd>

This field is available only if type is regular. For regular authentication, you need a user name and password. See your server administrator for more information.

No default

password-expiry-warning {disable | enable}

Enable or disable password expiry warnings.

disable

password-renewal {disable | enable}

Enable or disable online password renewal.

disable

secure <auth_port>{disable | starttls | ldaps}

Select the port to be used in authentication:
  • disable — port 389
  • ldaps — port 636
  • starttls — port 389

disable

Notes on Authentication Type

The following are the authentication types for LDAP searches:

  • anonymous—bind using anonymous user search
  • regular—bind using user name and password and then search
  • simple—simple password authentication without search

You can use simple authentication if the user records are all under one dn that you know. If the users are under more than one dn, use the anonymous or regular type, which can search the entire LDAP database for the required user name.

If your LDAP server requires authentication to perform searches, use the regular type and provide values for username and password.

config user local

Use this command to add local user names and configure user authentication for the system. To add authentication by LDAP or RADIUS server you must first add servers using the config user ldap and config user radius commands.

Syntax

config user local

edit <user_name>

set ldap-server <server_name>

set passwd <password_str>

set radius-server <server_name>

set tacacs+-server <server_name>

set status {enable | disable}

set type <auth-type>

end

Variable

Description

Default

<user_name>

Enter the user name. Enter a new name to create a new user account or enter an existing user name to edit that account.

No default

ldap-server <server_name>

Enter the name of the LDAP server with which the user must authenticate. You can only select an LDAP server that has been added to the list of LDAP servers. This option is available when type is set to ldap.

No default

passwd <password_str>

Enter the password with which the user must authenticate. Passwords at least 6 characters long provide better security than shorter passwords. This option is available when type is set to password.

No default

radius-server <server_name>

Enter the name of the RADIUS server with which the user must authenticate. You can only select a RADIUS server that has been added to the list of RADIUS servers. This option is available when type is set to radius.

No default

tacacs+-server <server_name>

Enter the name of the TACACS+ server with which the user must authenticate. This option is available when type is set to tacacs+.

No default

status {enable | disable}

Enter enable to allow the local user to authenticate with the FortiSwitch unit.

enable

type <auth-type>

Enter one of the following to specify how this user’s password is verified:
  • ldap: The LDAP server specified in ldap‑server verifies the password.
  • password: The system verifies the password against the value of the password.
  • radius: The RADIUS server specified in radius‑server verifies the password.
  • tacacs+: The TACACS+ server specified in tacacs+‑server verifies the password.

No default

config user peer

Use this command to configure a peer user.

Syntax

config user peer

edit <peer_name>

set ca {Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA | Fortinet_CA | Fortinet_CA2}

set cn <string>

set cn-type {FQDN | email | ipv4 | ipv6 | string}

set ldap-mode {password | principal-name}

set ldap-password <password>

set ldap-server <string>

set ldap-username <string>

set mandatory-ca-verify {enable | disable}

set passwd <password>

set subject <string>

set two-factor {enable |disable}

next

end

Variable

Description

Default

<peer_name>

Enter the name of the peer user.

No default

ca {Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA | Fortinet_CA | Fortinet_CA2}

Select a certificate authority (CA) for the peer certificate.

No default

cn <string>

Enter the common name for the peer certificate.

No default

cn-type {FQDN | email | ipv4 | ipv6 | string}

Enter the type of common name for the peer certificate: fully qualified domain name, email address, IPv4 address, IPv6 address, or a text description.

string

ldap-mode {password | principal-name}

Select whether the peer LDAP requires a password or an email address. The password is specified with the set ldap-password command.

password

ldap-password <password>

Enter the password for the peer LDAP.

This option is available only when the ldap-mode is set to password.

No default

ldap-server <string>

Enter the name of the LDAP server used for checking access permission.

No default

ldap-username <string>

Enter the user name for the LDAP server.

No default

mandatory-ca-verify {enable | disable}

Enable or disable whether there is mandatory CA verification.

disable

passwd <password>

Enter the user password for two-factor authentication.

This option is available only when two-factor is enabled.

No default

subject <string>

Enter any limitations on the peer certificate name.

No default

two-factor {enable |disable}

Enable or disable two-factor authentication. When this option is enabled, the certificate and password are required. Specify the password in the set passwd command.

disable

config user peergrp

Use this command to configure a peer user group.

Syntax

config user peergrp

edit <peer_group_name>

set member <list_of_peer_names>

next

end

Variable

Description

Default

<peer_group_name>

Enter a name for the new peer group.

No default

<list_of_peer_names>

Enter one of more peer users. Separate the names with a space. The peer users must already be configured with the config user peer command before they are added to a peer user group.

No default

config user radius

Use this command to add or edit the information used for RADIUS authentication.

The default port for RADIUS traffic is 1812. If your RADIUS server is using a different port you can change the default RADIUS port. You may set a different port for each of your RADIUS servers. The maximum number of remote RADIUS servers that can be configured for authentication is 10.

The RADIUS server is provided with more information to make authentication decisions, based on values in server, nas-ip, and the config user group subcommand config match. Attributes include:

  • NAS-IP-Address — RADIUS setting or IPv4 address of FortiSwitch interface used to talk to RADIUS server, if not configured
  • NAS-IPv6-Address — RADIUS setting or IPv6 address of FortiSwitch interface used to talk to RADIUS server, if not configured
  • NAS-Port — physical interface number of the traffic that triggered the authentication
  • Called-Station-ID — same value as NAS-IP Address but in text format
  • Fortinet-Vdom-Name — name of VDOM of the traffic that triggered the authentication
  • NAS-Identifier — configured hostname in non-HA mode; HA cluster group name in HA mode
  • Acct-Session-ID — unique ID identifying the authentication session
  • Connect-Info — identifies the service for which the authentication is being performed (web-auth, vpn-ipsec, vpn-pptp, vpn-l2tp, vpn-ssl, admin-login, test)

You can select an alternative authentication method for each server. These include CHAP, PAP, MS-CHAP, and MS-CHAP-v2.

Syntax

config user radius

edit <RADIUS_user_name>

set acct-fast-framedip-detect <integer>

set acct-interim-interval <integer>

set addr-mode {ipv4 | ipv6)

set all-usergroup {enable | disable}

set auth-type {auto | chap | ms_chap | ms_chap_v2 | pap}

set frame-mtu-size <integer>

set link-monitor {enable | disable}

set link-monitor-interval <5-120>

set nas-ip <use_ip>

set nas-ip6 <ipv6_addr>

set radius-coa {enable | disable}

set radius-port <radius_port_num>

set secret <server_password>

set server <domain_ipv4_ipv6>

set service-type {administrative | authenticate-only | call-check | callback-administrative | callback-framed | callback-login | callback-nas-prompt | framed | login | nas-prompt | outbound}

set source-ip <ipv4_addr>

set source-ip6 <ipv6_addr>

config acct-server

edit <accounting_server_ID>

set status {enable | disable}

set server <accounting_server>

set secret <accounting_server_secret>

set port <accounting_server_port>

next

end

end

Variable

Description

Default

<server_name>

Enter a name of the RADIUS user group. Enter a new name to create a new group definition or enter an existing group name to edit that group definition.

No default

acct-fast-framedip-detect <integer>

Enter the number of seconds allowed for the first-time detection of the Framed-IP-Address attribute from DHCP snooping. The range is 2-600 seconds.

2

acct-interim-interval <integer>

Enter the number of seconds between each interim accounting message sent to the RADIUS server. The value range is 60-86400.

600

addr-mode {ipv4 | ipv6)

Select whether to connect to the RADIUS server with IPv4 or IPv6. NOTE: If you select ipv4, you must use an IPv4 address for the set server command. If you select ipv6, you must use an IPv6 address for the set server command.

ipv4

all-usergroup {enable | disable}

Enable to automatically include this RADIUS server in all user groups.

disable

auth-type {auto | chap | ms_chap | ms_chap_v2 | pap}

Select the authentication method for this RADIUS server. auto uses pap, ms_chap_v2, and chap.

auto

frame-mtu-size <integer>

Enter the maximum frame size in octets used to advertise to the authentication server. The range is 600-1500.

1500

link-monitor {enable | disable}

Enable or disable whether this server sends periodic ping messages to the RADIUS server to test if it is available.

disable

link-monitor-interval <5-120>

Enter how often (in seconds) the server checks if the RADIUS server is available.

15

nas-ip <use_ip>

IPv4 address used as NAS-IP-Address and Called‑Station-ID attribute in RADIUS access requests. RADIUS setting or IPv4 address of FortiGate interface used to talk with RADIUS server, if not configured.

This option is available when the addr-mode is set to ipv4.

No default

nas-ip6 <ipv6_addr>

IPv6 address used as NAS-IPv6-Address and Called‑Station-ID attribute in RADIUS access requests. RADIUS setting or IPv6 address of FortiGate interface used to talk with RADIUS server, if not configured.

This option is available when the addr-mode is set to ipv6.

No default

radius-coa {enable | disable}

Enable or disable whether this server will use RADIUS change of authorization (CoA).

disable

radius-port <radius_port_num>

Change the default RADIUS port for this server. Range is 0-65535

1812

secret <server_password>

Enter the RADIUS server shared secret. The server secret key should be a maximum of 16 characters in length.

No default

server <domain_ipv4_ipv6>

Enter the RADIUS server domain name, IPv4 address, or IPv6 address. NOTE: If you selected ipv4 for addr-mode, you must use an IPv4 address for the set server command. If you selected ipv6 for addr-mode, you must use an IPv6 address for the set server command.

No default

source-ip <ipv4_addr>

Enter the source IPv4 address for communicating to the RADIUS server.

This option is available when the addr-mode is set to ipv4.

0.0.0.0

source-ip6 <ipv6_addr>

Enter the source IPv6 address for communicating to the RADIUS server.

This option is available when the addr-mode is set to ipv6.

No default

config acct-server

<accounting_server_ID>

Enter the identifier for the accounting server. The value range is 0-4294967295.

No default

status {enable | disable}

Enable or disable RADIUS accounting.

disable

secret <accounting_server_secret>

Enter the shared secret key for the RADIUS accounting server.

*

server <accounting_server>

Enter the RADIUS server domain name, IPv4 address, or IPv6 address of the RADIUS server that will be receiving the accounting messages.

No default

service-type {administrative | authenticate-only | call-check | callback-administrative | callback-framed | callback-login | callback-nas-prompt | framed | login | nas-prompt | outbound}

Select the Service-Type value. Separate multiple values with a space.

none

port <accounting_server_port>

Enter the port number for the RADIUS accounting server to receive accounting messages from the FortiSwitch unit.

1813

Notes on context timeout

The number of seconds that a user context entry can remain in the user context list without the system receiving a communication session from the carrier end point. If a user context entry is not being looked up, then the user must no longer be connected to the network.

This timeout is only required if the system doesn’t receive the RADIUS Stop record. However, even if the accounting system does send RADIUS Stop records this timeout should be set in case the FortiSwitch misses a Stop record.

The default user context entry timeout is 28800 seconds (8 hours). You can keep this timeout relatively high because its not usually a problem to have a long list, but entries that are no longer used should be removed regularly.

You might want to reduce this timeout if the accounting server does not send RADIUS Stop records. Also if customer IP addresses change often you might want to set this timeout lower so that out of date entries are removed from the list.

If this timeout is too low the FortiSwitch could remove user context entries for users who are still connected.

Dynamic Flag values

  • none — Disable writing event log messages for dynamic profile events.
  • accounting-event — Enable to write an event log message when the system does not find the expected information in a RADIUS Record. For example, if a RADIUS record contains more than the expected number of addresses.
  • accounting-stop-missed — Enable to write an event log message whenever a user context entry timeout expires indicating that the system removed an entry from the user context list without receiving a RADIUS Stop message.
  • context-missing — Enable to write an event log message whenever a user context creation timeout expires indicating that the system was not able to match a communication session because a matching entry was not found in the user context list.
  • profile-missing — Enable to write an event log message whenever the system cannot find a profile group name in a RADIUS start message that matches the name of a profile group added to the system.
  • protocol-error — Enable to write an event log message if RADIUS protocol errors occur. For example, if a RADIUS record contains a RADIUS secret that does not match the one added to the dynamic profile.
  • radiusd-other — Enable to write event log messages for other events. The event is described in the log message. For example, write a log message if the memory limit for the user context list is reached and the oldest entries in the table have been dropped.

Example

This example shows how to connect to a RADIUS server using IPv4:

config user radius

edit "local-RADIUS"

set addr-mode ipv4

set server 10.0.23.5

set secret djfhde;rkjfkrekdfjeke

set auth-type ms_chap_v2

set acct-interim-interval 1200

config acct-server

edit 1

set status enable

set server 10.0.23.5

set secret djfhde;rkjfkrekdfjeke

set port 1813

next

end

next

end

This example shows how to connect to a RADIUS server using IPv6:

config user radius

edit "radius"

set acct-interim-interval 60

config acct-server

edit 1

set status enable

set server "ipv6local"

set secret djfhde;rkjfkrekdfjeke

next

end

set radius-coa enable

set secret djfhde;rkjfkrekdfjeke

set server "ipv6local"

set service-type login callback-nas-prompt

set addr-mode ipv6

set nas-ip6 4001:1:2::1

set source-ip6 4001:1:2::1

next

end

config user setting

Use this command to change user authorization settings.

Syntax

config user setting

set auth-blackout-time <blackout_time_int>

set auth-cert <cert_name>

set auth-http-basic {disable | enable}

set auth-invalid-max <int>

set auth-multi-group {enable | disable}

set auth-secure-http {enable | disable}

set auth-type {ftp | http | https | telnet}

set auth-timeout <auth_timeout_minutes>

set auth-timeout-type {idle‑timeout | hard‑timeout | new‑session}

config auth-ports

edit <auth-table-entry-id>

set port <port_int>

set type {ftp | http | https | telnet}

end

end

Variable

Description

Default

auth-blackout-time <blackout_time_int>

When a firewall authentication attempt fails 5 times within one minute the IP address that is the source of the authentication attempts is denied access for the <blackout_time_int> period in seconds. The range is 0 to 3600 seconds.

0

auth-cert <cert_name>

HTTPS server certificate for policy authentication. Fortinet_Factory, Fortinet_Firmware (if applicable to your FortiSwitch), and self-sign are built-in certificates but others will be listed as you add them.

self-sign

auth-http-basic {disable | enable}

Enable or disable support for HTTP basic authentication for identity-based firewall policies. HTTP basic authentication usually causes a browser to display a pop-up authentication window instead of displaying an authentication web page. Some basic web browsers, for example, web browsers on mobile devices, may only support HTTP basic authentication.

disable

auth-invalid-max <int>

Enter the maximum number of failed authentication attempts to allow before the client is blocked. Range: 1-100.

5

auth-multi-group {enable | disable}

This option can be disabled if the Active Directory structure is setup such that users belong to only 1 group for purpose of firewall authentication.

enable

auth-secure-http {enable | disable}

Enable to have http user authentication redirected to secure channel - https.

disable

auth-type {ftp | http | https | telnet}

Set the user authentication protocol support for firewall policy authentication. User controls which protocols should support the authentication challenge.

No Default

auth-timeout <auth_timeout_minutes>

Set the number of minutes before the firewall user authentication timeout requires the user to authenticate again. The maximum authtimeout interval is 480 minutes (8 hours). To improve security, keep the authentication timeout at the default value of 5 minutes.

5

auth-timeout-type {idle‑timeout | hard‑timeout | new‑session}

Set the type of authentication timeout. idle‑timeout — applies only to idle session hard‑timeout — applies to all sessions new‑session — applies only to new sessions

idle‑timeout

config auth-ports

<auth-table-entry-id>

Create an entry in the authentication port table if you are using non-standard ports.

No Default

port <port_int>

Specify the authentication port. Range 1 to 65535.

1024

type {ftp | http | https | telnet}

Specify the protocol to which port applies.

http

config user tacacs+

Use this command to add or edit the information used for TACACS+ authentication.

Syntax

config user tacacs+

edit <user name>

set authen-type {ascii | auto | chap | mschap | pap}

set authorization {enable | disable}

set key <passwd>

set port <port number>

set server <domain>

set source-ip <ipv4_addr>

end

Variable

Description

Default

<user name>

Enter the name of the user.

No default

authen-type{ascii | auto | chap | mschap | pap}

Set the authentication type. Auto will use PAP, MSCHAP, and CHAP (in that order).

auto

authorization {disable | enable}

Enable TACACS+ authorization (service=fortigate)

disable

key <passwd>

Password value for the server.

*

port <port_int>

Specify the authentication port. Range 1 to 65535.

49

server <domain>

Specify the domain name of the server

No default

source-ip <ipv4_addr>

Set the source IP address.

0.0.0.0

Example

This example shows how to configure a TACACS user account for login authentication:

config user tacacs+

edit tacserver

set authen-type ascii

set authorization enable

set key temporary

set server tacacs_server

end

config user

The config user commands provide configuration of user accounts and user groups for firewall policy authentication, administrator authentication, and some types of VPN authentication:

config user group

Use this command to add or edit user groups.

Syntax

config user group

edit <group_name>

set group-type <grp_type>

set authtimeout <timeout>

set http-digest-realm <attribute>

set member <names>

config match

edit <match_id>

set group-name <gname_str>

set server-name <srvname_str>

end

end

Variable

Description

Default

<group_name>

Enter a new name to create a new group or enter an existing group name to edit that group.

No default

group-type <grp_type>

Enter the group type. <grp_type> determines the type of users and is one of the following:
  • firewall - FortiSwitch users defined in user local, user ldap or user radius
  • fsso-service - Directory Service users

firewall

authtimeout <timeout>

Set the authentication timeout for the user group, range 1 to 480 minutes. If set to 0, the global authentication timeout value is used.

0

http-digest-realm <attribute>

Enter the realm attribute for MD5-digest authentication

No default

member <names>

Enter the names of users, peers, LDAP servers, or RADIUS servers to add to the user group.

Separate the names with spaces.

To add or remove names from the group you must re-enter the whole list with the additions or deletions required.

No default

config match

<match_id>

Enter an ID for the entry.

No default

group-name <gname_str>

The name of the matching group on the remote authentication server. Specify the user group names on the authentication servers that are members of this FortiSwitch user group. If no matches are specified, all users on the server can authenticate.

No default

server-name <srvname_str>

The name of the remote authentication server.

No default

Example

This example shows how to create a user group:

config user group

edit "Radius_group"

set member "FortiAuthenticator"

end

end

config user ldap

Use this command to add or edit the definition of an LDAP server for user authentication.

To authenticate with the FortiSwitch unit, the user enters a user name and password. The system sends this user name and password to the LDAP server. If the LDAP server can authenticate the user, the user is successfully authenticated with the FortiSwitch unit. If the LDAP server cannot authenticate the user, the connection is refused by the FortiSwitch unit.

Syntax

config user ldap

edit <server_name>

set cnid <id>

set dn <dname>

set group-member-check {user-attr | group-object}

set member-attr <attr_name>

set port <number>

set server <domain>

set type <auth_type>

set username <ldap_username>

set password <ldap_passwd>

set password-expiry-warning {disable | enable}

set password-renewal {disable | enable}

set secure <auth_port>

end

Variable

Description

Default

<server_name>

Enter a name to identify the LDAP server.

Enter a new name to create a new server definition or enter an existing server name to edit that server definition.

No default

cnid <id>

Enter the common name identifier for the LDAP server. The common name identifier for most LDAP servers is cn. However some servers use other common name identifiers such as uid. Maximum 20 characters.

cn

dn <dname>

Enter the distinguished name used to look up entries on the LDAP server. It reflects the hierarchy of LDAP database object classes above the Common Name Identifier. The FortiSwitch passes this distinguished name unchanged to the server.

You must provide a dn value if type is simple.

Maximum 512 characters.

No default

group-member-check {user-attr | group-object}

Select the group membership checking method:

user attribute or group object.

user-attr

member-attr <attr_name>

An attribute of the group that is used to authenticate users.

No default

port <number>

Enter the port number for communication with the LDAP server.

389

server <domain>

Enter the LDAP server domain name or IP address.

No default

type <auth_type>

Enter the authentication type for LDAP searches. One of: anonymous, regular or simple

See the notes following the table for additional information.

simple

username <ldap_username>

This field is available only if type is regular. For regular authentication, you need a user name and password. See your server administrator for more information.

No default

password <ldap_passwd>

This field is available only if type is regular. For regular authentication, you need a user name and password. See your server administrator for more information.

No default

password-expiry-warning {disable | enable}

Enable or disable password expiry warnings.

disable

password-renewal {disable | enable}

Enable or disable online password renewal.

disable

secure <auth_port>{disable | starttls | ldaps}

Select the port to be used in authentication:
  • disable — port 389
  • ldaps — port 636
  • starttls — port 389

disable

Notes on Authentication Type

The following are the authentication types for LDAP searches:

  • anonymous—bind using anonymous user search
  • regular—bind using user name and password and then search
  • simple—simple password authentication without search

You can use simple authentication if the user records are all under one dn that you know. If the users are under more than one dn, use the anonymous or regular type, which can search the entire LDAP database for the required user name.

If your LDAP server requires authentication to perform searches, use the regular type and provide values for username and password.

config user local

Use this command to add local user names and configure user authentication for the system. To add authentication by LDAP or RADIUS server you must first add servers using the config user ldap and config user radius commands.

Syntax

config user local

edit <user_name>

set ldap-server <server_name>

set passwd <password_str>

set radius-server <server_name>

set tacacs+-server <server_name>

set status {enable | disable}

set type <auth-type>

end

Variable

Description

Default

<user_name>

Enter the user name. Enter a new name to create a new user account or enter an existing user name to edit that account.

No default

ldap-server <server_name>

Enter the name of the LDAP server with which the user must authenticate. You can only select an LDAP server that has been added to the list of LDAP servers. This option is available when type is set to ldap.

No default

passwd <password_str>

Enter the password with which the user must authenticate. Passwords at least 6 characters long provide better security than shorter passwords. This option is available when type is set to password.

No default

radius-server <server_name>

Enter the name of the RADIUS server with which the user must authenticate. You can only select a RADIUS server that has been added to the list of RADIUS servers. This option is available when type is set to radius.

No default

tacacs+-server <server_name>

Enter the name of the TACACS+ server with which the user must authenticate. This option is available when type is set to tacacs+.

No default

status {enable | disable}

Enter enable to allow the local user to authenticate with the FortiSwitch unit.

enable

type <auth-type>

Enter one of the following to specify how this user’s password is verified:
  • ldap: The LDAP server specified in ldap‑server verifies the password.
  • password: The system verifies the password against the value of the password.
  • radius: The RADIUS server specified in radius‑server verifies the password.
  • tacacs+: The TACACS+ server specified in tacacs+‑server verifies the password.

No default

config user peer

Use this command to configure a peer user.

Syntax

config user peer

edit <peer_name>

set ca {Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA | Fortinet_CA | Fortinet_CA2}

set cn <string>

set cn-type {FQDN | email | ipv4 | ipv6 | string}

set ldap-mode {password | principal-name}

set ldap-password <password>

set ldap-server <string>

set ldap-username <string>

set mandatory-ca-verify {enable | disable}

set passwd <password>

set subject <string>

set two-factor {enable |disable}

next

end

Variable

Description

Default

<peer_name>

Enter the name of the peer user.

No default

ca {Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA | Fortinet_CA | Fortinet_CA2}

Select a certificate authority (CA) for the peer certificate.

No default

cn <string>

Enter the common name for the peer certificate.

No default

cn-type {FQDN | email | ipv4 | ipv6 | string}

Enter the type of common name for the peer certificate: fully qualified domain name, email address, IPv4 address, IPv6 address, or a text description.

string

ldap-mode {password | principal-name}

Select whether the peer LDAP requires a password or an email address. The password is specified with the set ldap-password command.

password

ldap-password <password>

Enter the password for the peer LDAP.

This option is available only when the ldap-mode is set to password.

No default

ldap-server <string>

Enter the name of the LDAP server used for checking access permission.

No default

ldap-username <string>

Enter the user name for the LDAP server.

No default

mandatory-ca-verify {enable | disable}

Enable or disable whether there is mandatory CA verification.

disable

passwd <password>

Enter the user password for two-factor authentication.

This option is available only when two-factor is enabled.

No default

subject <string>

Enter any limitations on the peer certificate name.

No default

two-factor {enable |disable}

Enable or disable two-factor authentication. When this option is enabled, the certificate and password are required. Specify the password in the set passwd command.

disable

config user peergrp

Use this command to configure a peer user group.

Syntax

config user peergrp

edit <peer_group_name>

set member <list_of_peer_names>

next

end

Variable

Description

Default

<peer_group_name>

Enter a name for the new peer group.

No default

<list_of_peer_names>

Enter one of more peer users. Separate the names with a space. The peer users must already be configured with the config user peer command before they are added to a peer user group.

No default

config user radius

Use this command to add or edit the information used for RADIUS authentication.

The default port for RADIUS traffic is 1812. If your RADIUS server is using a different port you can change the default RADIUS port. You may set a different port for each of your RADIUS servers. The maximum number of remote RADIUS servers that can be configured for authentication is 10.

The RADIUS server is provided with more information to make authentication decisions, based on values in server, nas-ip, and the config user group subcommand config match. Attributes include:

  • NAS-IP-Address — RADIUS setting or IPv4 address of FortiSwitch interface used to talk to RADIUS server, if not configured
  • NAS-IPv6-Address — RADIUS setting or IPv6 address of FortiSwitch interface used to talk to RADIUS server, if not configured
  • NAS-Port — physical interface number of the traffic that triggered the authentication
  • Called-Station-ID — same value as NAS-IP Address but in text format
  • Fortinet-Vdom-Name — name of VDOM of the traffic that triggered the authentication
  • NAS-Identifier — configured hostname in non-HA mode; HA cluster group name in HA mode
  • Acct-Session-ID — unique ID identifying the authentication session
  • Connect-Info — identifies the service for which the authentication is being performed (web-auth, vpn-ipsec, vpn-pptp, vpn-l2tp, vpn-ssl, admin-login, test)

You can select an alternative authentication method for each server. These include CHAP, PAP, MS-CHAP, and MS-CHAP-v2.

Syntax

config user radius

edit <RADIUS_user_name>

set acct-fast-framedip-detect <integer>

set acct-interim-interval <integer>

set addr-mode {ipv4 | ipv6)

set all-usergroup {enable | disable}

set auth-type {auto | chap | ms_chap | ms_chap_v2 | pap}

set frame-mtu-size <integer>

set link-monitor {enable | disable}

set link-monitor-interval <5-120>

set nas-ip <use_ip>

set nas-ip6 <ipv6_addr>

set radius-coa {enable | disable}

set radius-port <radius_port_num>

set secret <server_password>

set server <domain_ipv4_ipv6>

set service-type {administrative | authenticate-only | call-check | callback-administrative | callback-framed | callback-login | callback-nas-prompt | framed | login | nas-prompt | outbound}

set source-ip <ipv4_addr>

set source-ip6 <ipv6_addr>

config acct-server

edit <accounting_server_ID>

set status {enable | disable}

set server <accounting_server>

set secret <accounting_server_secret>

set port <accounting_server_port>

next

end

end

Variable

Description

Default

<server_name>

Enter a name of the RADIUS user group. Enter a new name to create a new group definition or enter an existing group name to edit that group definition.

No default

acct-fast-framedip-detect <integer>

Enter the number of seconds allowed for the first-time detection of the Framed-IP-Address attribute from DHCP snooping. The range is 2-600 seconds.

2

acct-interim-interval <integer>

Enter the number of seconds between each interim accounting message sent to the RADIUS server. The value range is 60-86400.

600

addr-mode {ipv4 | ipv6)

Select whether to connect to the RADIUS server with IPv4 or IPv6. NOTE: If you select ipv4, you must use an IPv4 address for the set server command. If you select ipv6, you must use an IPv6 address for the set server command.

ipv4

all-usergroup {enable | disable}

Enable to automatically include this RADIUS server in all user groups.

disable

auth-type {auto | chap | ms_chap | ms_chap_v2 | pap}

Select the authentication method for this RADIUS server. auto uses pap, ms_chap_v2, and chap.

auto

frame-mtu-size <integer>

Enter the maximum frame size in octets used to advertise to the authentication server. The range is 600-1500.

1500

link-monitor {enable | disable}

Enable or disable whether this server sends periodic ping messages to the RADIUS server to test if it is available.

disable

link-monitor-interval <5-120>

Enter how often (in seconds) the server checks if the RADIUS server is available.

15

nas-ip <use_ip>

IPv4 address used as NAS-IP-Address and Called‑Station-ID attribute in RADIUS access requests. RADIUS setting or IPv4 address of FortiGate interface used to talk with RADIUS server, if not configured.

This option is available when the addr-mode is set to ipv4.

No default

nas-ip6 <ipv6_addr>

IPv6 address used as NAS-IPv6-Address and Called‑Station-ID attribute in RADIUS access requests. RADIUS setting or IPv6 address of FortiGate interface used to talk with RADIUS server, if not configured.

This option is available when the addr-mode is set to ipv6.

No default

radius-coa {enable | disable}

Enable or disable whether this server will use RADIUS change of authorization (CoA).

disable

radius-port <radius_port_num>

Change the default RADIUS port for this server. Range is 0-65535

1812

secret <server_password>

Enter the RADIUS server shared secret. The server secret key should be a maximum of 16 characters in length.

No default

server <domain_ipv4_ipv6>

Enter the RADIUS server domain name, IPv4 address, or IPv6 address. NOTE: If you selected ipv4 for addr-mode, you must use an IPv4 address for the set server command. If you selected ipv6 for addr-mode, you must use an IPv6 address for the set server command.

No default

source-ip <ipv4_addr>

Enter the source IPv4 address for communicating to the RADIUS server.

This option is available when the addr-mode is set to ipv4.

0.0.0.0

source-ip6 <ipv6_addr>

Enter the source IPv6 address for communicating to the RADIUS server.

This option is available when the addr-mode is set to ipv6.

No default

config acct-server

<accounting_server_ID>

Enter the identifier for the accounting server. The value range is 0-4294967295.

No default

status {enable | disable}

Enable or disable RADIUS accounting.

disable

secret <accounting_server_secret>

Enter the shared secret key for the RADIUS accounting server.

*

server <accounting_server>

Enter the RADIUS server domain name, IPv4 address, or IPv6 address of the RADIUS server that will be receiving the accounting messages.

No default

service-type {administrative | authenticate-only | call-check | callback-administrative | callback-framed | callback-login | callback-nas-prompt | framed | login | nas-prompt | outbound}

Select the Service-Type value. Separate multiple values with a space.

none

port <accounting_server_port>

Enter the port number for the RADIUS accounting server to receive accounting messages from the FortiSwitch unit.

1813

Notes on context timeout

The number of seconds that a user context entry can remain in the user context list without the system receiving a communication session from the carrier end point. If a user context entry is not being looked up, then the user must no longer be connected to the network.

This timeout is only required if the system doesn’t receive the RADIUS Stop record. However, even if the accounting system does send RADIUS Stop records this timeout should be set in case the FortiSwitch misses a Stop record.

The default user context entry timeout is 28800 seconds (8 hours). You can keep this timeout relatively high because its not usually a problem to have a long list, but entries that are no longer used should be removed regularly.

You might want to reduce this timeout if the accounting server does not send RADIUS Stop records. Also if customer IP addresses change often you might want to set this timeout lower so that out of date entries are removed from the list.

If this timeout is too low the FortiSwitch could remove user context entries for users who are still connected.

Dynamic Flag values

  • none — Disable writing event log messages for dynamic profile events.
  • accounting-event — Enable to write an event log message when the system does not find the expected information in a RADIUS Record. For example, if a RADIUS record contains more than the expected number of addresses.
  • accounting-stop-missed — Enable to write an event log message whenever a user context entry timeout expires indicating that the system removed an entry from the user context list without receiving a RADIUS Stop message.
  • context-missing — Enable to write an event log message whenever a user context creation timeout expires indicating that the system was not able to match a communication session because a matching entry was not found in the user context list.
  • profile-missing — Enable to write an event log message whenever the system cannot find a profile group name in a RADIUS start message that matches the name of a profile group added to the system.
  • protocol-error — Enable to write an event log message if RADIUS protocol errors occur. For example, if a RADIUS record contains a RADIUS secret that does not match the one added to the dynamic profile.
  • radiusd-other — Enable to write event log messages for other events. The event is described in the log message. For example, write a log message if the memory limit for the user context list is reached and the oldest entries in the table have been dropped.

Example

This example shows how to connect to a RADIUS server using IPv4:

config user radius

edit "local-RADIUS"

set addr-mode ipv4

set server 10.0.23.5

set secret djfhde;rkjfkrekdfjeke

set auth-type ms_chap_v2

set acct-interim-interval 1200

config acct-server

edit 1

set status enable

set server 10.0.23.5

set secret djfhde;rkjfkrekdfjeke

set port 1813

next

end

next

end

This example shows how to connect to a RADIUS server using IPv6:

config user radius

edit "radius"

set acct-interim-interval 60

config acct-server

edit 1

set status enable

set server "ipv6local"

set secret djfhde;rkjfkrekdfjeke

next

end

set radius-coa enable

set secret djfhde;rkjfkrekdfjeke

set server "ipv6local"

set service-type login callback-nas-prompt

set addr-mode ipv6

set nas-ip6 4001:1:2::1

set source-ip6 4001:1:2::1

next

end

config user setting

Use this command to change user authorization settings.

Syntax

config user setting

set auth-blackout-time <blackout_time_int>

set auth-cert <cert_name>

set auth-http-basic {disable | enable}

set auth-invalid-max <int>

set auth-multi-group {enable | disable}

set auth-secure-http {enable | disable}

set auth-type {ftp | http | https | telnet}

set auth-timeout <auth_timeout_minutes>

set auth-timeout-type {idle‑timeout | hard‑timeout | new‑session}

config auth-ports

edit <auth-table-entry-id>

set port <port_int>

set type {ftp | http | https | telnet}

end

end

Variable

Description

Default

auth-blackout-time <blackout_time_int>

When a firewall authentication attempt fails 5 times within one minute the IP address that is the source of the authentication attempts is denied access for the <blackout_time_int> period in seconds. The range is 0 to 3600 seconds.

0

auth-cert <cert_name>

HTTPS server certificate for policy authentication. Fortinet_Factory, Fortinet_Firmware (if applicable to your FortiSwitch), and self-sign are built-in certificates but others will be listed as you add them.

self-sign

auth-http-basic {disable | enable}

Enable or disable support for HTTP basic authentication for identity-based firewall policies. HTTP basic authentication usually causes a browser to display a pop-up authentication window instead of displaying an authentication web page. Some basic web browsers, for example, web browsers on mobile devices, may only support HTTP basic authentication.

disable

auth-invalid-max <int>

Enter the maximum number of failed authentication attempts to allow before the client is blocked. Range: 1-100.

5

auth-multi-group {enable | disable}

This option can be disabled if the Active Directory structure is setup such that users belong to only 1 group for purpose of firewall authentication.

enable

auth-secure-http {enable | disable}

Enable to have http user authentication redirected to secure channel - https.

disable

auth-type {ftp | http | https | telnet}

Set the user authentication protocol support for firewall policy authentication. User controls which protocols should support the authentication challenge.

No Default

auth-timeout <auth_timeout_minutes>

Set the number of minutes before the firewall user authentication timeout requires the user to authenticate again. The maximum authtimeout interval is 480 minutes (8 hours). To improve security, keep the authentication timeout at the default value of 5 minutes.

5

auth-timeout-type {idle‑timeout | hard‑timeout | new‑session}

Set the type of authentication timeout. idle‑timeout — applies only to idle session hard‑timeout — applies to all sessions new‑session — applies only to new sessions

idle‑timeout

config auth-ports

<auth-table-entry-id>

Create an entry in the authentication port table if you are using non-standard ports.

No Default

port <port_int>

Specify the authentication port. Range 1 to 65535.

1024

type {ftp | http | https | telnet}

Specify the protocol to which port applies.

http

config user tacacs+

Use this command to add or edit the information used for TACACS+ authentication.

Syntax

config user tacacs+

edit <user name>

set authen-type {ascii | auto | chap | mschap | pap}

set authorization {enable | disable}

set key <passwd>

set port <port number>

set server <domain>

set source-ip <ipv4_addr>

end

Variable

Description

Default

<user name>

Enter the name of the user.

No default

authen-type{ascii | auto | chap | mschap | pap}

Set the authentication type. Auto will use PAP, MSCHAP, and CHAP (in that order).

auto

authorization {disable | enable}

Enable TACACS+ authorization (service=fortigate)

disable

key <passwd>

Password value for the server.

*

port <port_int>

Specify the authentication port. Range 1 to 65535.

49

server <domain>

Specify the domain name of the server

No default

source-ip <ipv4_addr>

Set the source IP address.

0.0.0.0

Example

This example shows how to configure a TACACS user account for login authentication:

config user tacacs+

edit tacserver

set authen-type ascii

set authorization enable

set key temporary

set server tacacs_server

end