Users and user groups
FortiGate authentication controls system access by user group. By assigning individual users to the appropriate user groups you can control each user’s access to network resources. The members of user groups are user accounts, of which there are several types. Local users and peer users are defined on the FortiGate unit. User accounts can also be defined on remote authentication servers.
This section describes how to configure local users and peer users and then how to configure user groups. For information about configuration of authentication servers see Authentication servers on page 29.
This section contains the following topics:
- Users
- User groups
Users
A user is a user account consisting of username, password, and in some cases other information, configured on the FortiGate unit or on an external authentication server. Users can access resources that require authentication only if they are members of an allowed user group. There are several different types of user accounts with slightly different methods of authentication:
| User type | Authentication |
| Local user | The username and password must match a user account stored on the FortiGate unit. Authentication by FortiGate security policy. |
| Remote user | The username must match a user account stored on the FortiGate unit and the username and password must match a user account stored on the remote authentication server. FortiOS supports LDAP, RADIUS, and TACACS+ servers. |
| Authentication server user | A FortiGate user group can include user accounts or groups that exist on a remote authentication server. |
| FSSO user | With Fortinet Single Sign On (FSSO), users on a Microsoft Windows or Novell network can use their network authentication to access resources through the FortiGate unit. Access is controlled through FSSO user groups which contain Windows or Novell user groups as their members. |
| PKI or Peer user | A Public Key Infrastructure (PKI) or peer user is a digital certificate holder who authenticates using a client certificate. No password is required, unless two-factor authentication is enabled. |
| IM Users | IM users are not authenticated. The FortiGate unit can allow or block each IM user name from accessing the IM protocols. A global policy for each IM protocol governs access to these protocols by unknown users. |
| User type | Authentication |
| Guest Users | Guest user accounts are temporary. The account expires after a selected period of time. |
This section includes:
- Local and remote users
- PKI or peer users
- Two-factor authentication
- FortiToken
- Monitoring users
Local and remote users
Local and remote users are defined on the FortiGate unit in User & Device > User Definition.
| Create New | Creates a new user account. When you select Create New, you are automatically redirected to the User Creation Wizard. |
| Edit User | Modifies a user’s account settings. When you select Edit, you are automatically redirected to the Edit User page. |
| Delete | Removes a user from the list. Removing the user name removes the authentication configured for the user.
The Delete icon is not available if the user belongs to a user group. To remove multiple local user accounts from within the list, on the User page, in each of the rows of user accounts you want removed, select the check box and then select Delete. To remove all local user accounts from the list, on the User page, select the check box in the check box column and then select Delete. |
| User Name | The user name. For a remote user, this username must be identical to the username on the authentication server. |
| Type | Local indicates a local user authenticated on the FortiGate unit. For remote users, the type of authentication server is shown: LDAP, RADIUS, or TACACS+. |
| Two-factor
Authentication |
Indicates whether two-factor authentication is configured for the user. |
| Ref. | Displays the number of times this object is referenced by other objects. Select the number to open the Object Usage window and view the list of referring objects. The list is grouped into expandable categories, such as Firewall Policy. Numbers of objects are shown in parentheses.
To view more information about the referring object, use the icons: l View the list page for these objects – available for object categories. Goes to the page where the object is listed. For example, if the category is User Groups, opens User Groups list. l Edit this object – opens the object for editing. l View the details for this object – displays current settings for the object. |
To create a local or remote user account – web-based manager:
- Go to User & Device > User Definition and select Create New.
- On the Choose User Type page select:
| Local User | Select to authenticate this user using a password stored on the FortiGate unit. |
| Remote RADIUS User
Remote TACACS+ User Remote LDAP User |
To authenticate this user using a password stored on an authentication server, select the type of server and then select the server from the list. You can select only a server that has already been added to the FortiGate unit configuration. |
- Select Next and provide user authentication information. For a local user, enter the User Name and Password.
For a remote user, enter the User Name and the server name.
- Select Next and enter Contact Information.
If email or SMS is used for two-factor authentication, provide the email address or SMS cell number at which the user will receive token password codes. If a custom SMS service is used, it must already be configured. See FortiToken on page 60.
- Select Next, then on the Provide Extra Info page enter
| Two-factor Authentication | Select to enable two-factor authentication. Then select the Token (FortiToken or FortiToken Mobile) for this user account. See Associating FortiTokens with accounts on page 63. |
| User Group | Select the user groups to which this user belongs. |
- Select Create.
To create a local user – CLI example:
Locally authenticated user
config user local edit user1 set type password set passwd ljt_pj2gpepfdw end
To create a remote user – CLI example:
config user local edit user2 set type ldap set ldap_server ourLDAPsrv
end
For a RADIUS or TACACS+ user, set type to radius or tacacs+, respectively.
To create a user with FortiToken Mobile two-factor authentication – CLI example:
config user local edit user5 set type password set passwd ljt_pj2gpepfdw set two_factor fortitoken set fortitoken 182937197
end
Remote users are configured for FortiToken two-factor authentication similarly.
To create a user with SMS two-factor authentication using FortiGuard messaging Service – CLI example:
config user local edit user6 set type password set passwd 3ww_pjt68dw set two_factor sms set sms-server fortiguard set sms-phone 1365984521
end
Removing users
Best practices dictate that when a user account is no longer in use, it should be deleted. Removing local and remote users from FortiOS involve the same steps.
If the user account is referenced by any configuration objects, those references must be removed before the user can be deleted. See Removing references to users on page 57.
To remove a user from the FortiOS configuration – web-based manager:
- Go to User & Device > User Definition.
- Select the check box of the user that you want to remove.
- Select Delete.
- Select OK.
To remove a user from the FortiOS configuration – CLI example:
config user local delete user4444 end
Removing references to users
You cannot remove a user that belongs to a user group. Remove the user from the user group first, and then delete the user.
To remove references to a user – web-based manager
- Go to User & Device > User Definition.
- If the number in the far right column for the selected user contains any number other than zero, select it.
- A more detailed list of object references to this user is displayed. Use its information to find and remove these references to allow you to delete this user.
Hi Mike, One question: if I have LDAP Users and a remote Radius Group which will check first given an username and password? I’m not able to see If the order is defined somewhere
Thank you