config user user-group
Use this command to configure user groups. User groups are authorized by the virtual server authorization policy. The user group configuration references the authentication servers that contain valid user credentials.
Suggested steps:
1. Configure LDAP and RADIUS servers, if applicable.
2. Configure local users.
3. Configure user groups (reference servers and local users).
4. Configure an authorization policy (reference the user group).
5. Configure the virtual server (reference the authorization policy).
Before you begin:
• You must have created configuration objects for any LDAP and RADIUS server you want to use, and you must have created user accounts for local users.
• You must have read-write permission for system settings.
After you have created user groups, you can specify them in the load-balance auth-policy configuration.
Syntax
config user user-group
edit <name>
set auth-log {none|fail|success|all}
set auth-timeout <integer>
set user-cache {enable|disable}
set user-cache-timeout <integer>
config member
edit <No.>
set type {local|ldap|radius}
set local-user {<name> <name> ...}
set ldap-server <datasource>
set radius-server <datasource>
next
end
next
end
auth-log | Specify one of the following logging options for authentication events: • No logging • Log failed attempts • Log successful attempts • Log all (both failed and successful attempts) |
auth-timeout | Timeout for query sent from FortiADC to a remote authentication server. |
user-cache | Enable to cache the credentials for the remote users (LDAP, RADIUS) once they are authorized. |
user-cache-timeout | Timeout for cached user credentials. |
config member |
type | Authentication server type. |
local-user | To add local users, specify the local usernames. |
ldap-server | To add LDAP users, specify the LDAP server configuration name. |
radius-server | To add RADIUS users, specify the server configuration name. |
Example
FortiADC-VM # config user user-group
FortiADC-VM (user-group) # edit example-group
Add new entry 'example-group' for node 3300
FortiADC-VM (example-group) # get
user-cache : disable
auth-timeout : 2000
auth-log : none
FortiADC-VM (example-group) # config member
FortiADC-VM (member) # edit 1
Add new entry '1' for node 3302
FortiADC-VM (1) # get
type : local
local-user :
FortiADC-VM (1) # set local-user
<datasource> loca user
FortiADC-VM (1) # set local-user test1
FortiADC-VM (1) # end
FortiADC-VM (example-group) # end