Users and user groups

Users and user groups

FortiGate authentication controls system access by user group. By assigning individual users to the appropriate user groups you can control each user’s access to network resources. The members of user groups are user accounts, of which there are several types. Local users and peer users are defined on the FortiGate unit. User accounts can also be defined on remote authentication servers.

This section describes how to configure local users and peer users and then how to configure user groups. For information about configuration of authentication servers see Authentication servers on page 29.

This section contains the following topics:

  • Users
  • User groups

Users

A user is a user account consisting of username, password, and in some cases other information, configured on the FortiGate unit or on an external authentication server. Users can access resources that require authentication only if they are members of an allowed user group. There are several different types of user accounts with slightly different methods of authentication:

User type Authentication
Local user The username and password must match a user account stored on the FortiGate unit. Authentication by FortiGate security policy.
Remote user The username must match a user account stored on the FortiGate unit and the username and password must match a user account stored on the remote authentication server. FortiOS supports LDAP, RADIUS, and TACACS+ servers.
Authentication server user A FortiGate user group can include user accounts or groups that exist on a remote authentication server.
FSSO user With Fortinet Single Sign On (FSSO), users on a Microsoft Windows or Novell network can use their network authentication to access resources through the FortiGate unit. Access is controlled through FSSO user groups which contain Windows or Novell user groups as their members.
PKI or Peer user A Public Key Infrastructure (PKI) or peer user is a digital certificate holder who authenticates using a client certificate. No password is required, unless two-factor authentication is enabled.
IM Users IM users are not authenticated. The FortiGate unit can allow or block each IM user name from accessing the IM protocols. A global policy for each IM protocol governs access to these protocols by unknown users.
User type Authentication
Guest Users Guest user accounts are temporary. The account expires after a selected period of time.

This section includes:

  • Local and remote users
  • PKI or peer users
  • Two-factor authentication
  • FortiToken
  • Monitoring users

Local and remote users

Local and remote users are defined on the FortiGate unit in User & Device > User Definition.

Create New Creates a new user account. When you select Create New, you are automatically redirected to the User Creation Wizard.
Edit User Modifies a user’s account settings. When you select Edit, you are automatically redirected to the Edit User page.
Delete Removes a user from the list. Removing the user name removes the authentication configured for the user.

The Delete icon is not available if the user belongs to a user group.

To remove multiple local user accounts from within the list, on the User page, in each of the rows of user accounts you want removed, select the check box and then select Delete.

To remove all local user accounts from the list, on the User page, select the check box in the check box column and then select Delete.

User Name The user name. For a remote user, this username must be identical to the username on the authentication server.
Type Local indicates a local user authenticated on the FortiGate unit. For remote users, the type of authentication server is shown: LDAP, RADIUS, or TACACS+.
Two-factor

Authentication

Indicates whether two-factor authentication is configured for the user.
Ref. Displays the number of times this object is referenced by other objects. Select the number to open the Object Usage window and view the list of referring objects. The list is grouped into expandable categories, such as Firewall Policy. Numbers of objects are shown in parentheses.

To view more information about the referring object, use the icons:

View the list page for these objects – available for object categories. Goes to the page where the object is listed. For example, if the category is User Groups, opens User Groups list.

Edit this object – opens the object for editing. l View the details for this object – displays current settings for the object.

To create a local or remote user account – web-based manager:

  1. Go to User & Device > User Definition and select Create New.
  2. On the Choose User Type page select:
Local User Select to authenticate this user using a password stored on the FortiGate unit.
Remote RADIUS User

Remote TACACS+ User

Remote LDAP User

To authenticate this user using a password stored on an authentication server, select the type of server and then select the server from the list. You can select only a server that has already been added to the FortiGate unit configuration.
  1. Select Next and provide user authentication information. For a local user, enter the User Name and Password.

For a remote user, enter the User Name and the server name.

  1. Select Next and enter Contact Information.

If email or SMS is used for two-factor authentication, provide the email address or SMS cell number at which the user will receive token password codes. If a custom SMS service is used, it must already be configured. See FortiToken on page 60.

  1. Select Next, then on the Provide Extra Info page enter
Two-factor Authentication Select to enable two-factor authentication. Then select the Token (FortiToken or FortiToken Mobile) for this user account. See Associating FortiTokens with accounts on page 63.
User Group Select the user groups to which this user belongs.
  1. Select Create.

To create a local user – CLI example:

Locally authenticated user

config user local edit user1 set type password set passwd ljt_pj2gpepfdw end

To create a remote user – CLI example:

config user local edit user2 set type ldap set ldap_server ourLDAPsrv

end

For a RADIUS or TACACS+ user, set type to radius or tacacs+, respectively.

To create a user with FortiToken Mobile two-factor authentication – CLI example:

config user local edit user5 set type password set passwd ljt_pj2gpepfdw set two_factor fortitoken set fortitoken 182937197

end

Remote users are configured for FortiToken two-factor authentication similarly.

To create a user with SMS two-factor authentication using FortiGuard messaging Service – CLI example:

config user local edit user6 set type password set passwd 3ww_pjt68dw set two_factor sms set sms-server fortiguard set sms-phone 1365984521

end

Removing users

Best practices dictate that when a user account is no longer in use, it should be deleted. Removing local and remote users from FortiOS involve the same steps.

If the user account is referenced by any configuration objects, those references must be removed before the user can be deleted. See Removing references to users on page 57.

To remove a user from the FortiOS configuration – web-based manager:

  1. Go to User & Device > User Definition.
  2. Select the check box of the user that you want to remove.
  3. Select Delete.
  4. Select OK.

To remove a user from the FortiOS configuration – CLI example:

config user local delete user4444 end

Removing references to users

You cannot remove a user that belongs to a user group. Remove the user from the user group first, and then delete the user.

To remove references to a user – web-based manager

  1. Go to User & Device > User Definition.
  2. If the number in the far right column for the selected user contains any number other than zero, select it.
  3. A more detailed list of object references to this user is displayed. Use its information to find and remove these references to allow you to delete this user.
This entry was posted in FortiGate, FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “Users and user groups

  1. Anabella Cristaldi

    Hi Mike, One question: if I have LDAP Users and a remote Radius Group which will check first given an username and password? I’m not able to see If the order is defined somewhere
    Thank you

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.