user : group
 
group
Use this command to add or edit user groups. User groups can include defined peer members.
Syntax
config user group
edit <groupname>
set auth-concurrent-override {enable | disable}
set auth-concurrent-value <limit_int>
set authtimeout <timeout>
set company {disabled | mandatory | optional}
set email {enable | disable}
set expire <seconds_int>
set expire-type {immediately | first-successful-login}
set group-type {firewall | fsso‑service | rsso | guest}
set http-digest-realm <realm_str>
set max-accounts <int>
set member <names>
set mobile-phone {enable | disable}
set multiple-guest-add {enable | disable}
set password {auto-generate | email | specify}
set sponsor {disabled | mandatory | optional}
set sslvpn-portal <web_portal_name>
set sso-attribute-value <string>
set user-id {auto-generate | email | specify}
set user-name {enable | disable}
config guest
edit <guest_id>
set company <company‑name_str>
set email <email-addr_str>
set expiration <expire‑time_str>
set mobile-phone <telnumber_str>
set name <name_str>
set password <pwd_str>
set sponser <sponsor‑name_str>
end
config match
edit <match_id>
set group-name <gname_str>
set rsso {enable | disable}
set server-name <srvname_str>
end
end
Variable
Description
Default
edit <groupname>
Enter a new name to create a new group or enter an existing group name to edit that group.
No default.
auth-concurrent-override {enable | disable}
Enable to override the policy-auth-concurrent setting in system global.
disable
auth-concurrent-value <limit_int>
Set the number of concurrent logins permitted from the same user. Range 1 to 100. 0 means no limit. This field is available if auth-concurrent-override is enabled.
0
authtimeout <timeout>
Enter the value in seconds of an authentication timeout for the user group. Range 1 to 480 minutes. Enter 0 to use the global authentication value. This is available if group-type is firewall or directory-service.
0
company {disabled | mandatory | optional}
Select the option for the guest’s company name field on the web-based manager Guest Management form: disabled, mandatory or optional. This is available if group-type is guest.
optional
email {enable | disable}
Enable or disable the email address field in the web-based manager Guest Management form. This is available if group-type is guest.
disable
expire <seconds_int>
Enter the number of seconds until the guest account expires. This is available if group-type is guest.
14400
expire-type {immediately | first-successful-login}
Select when expiry time countdown begins: immediately or after the user’s first successful login. This is available if group-type is guest.
immediately
group-type {firewall | fsso‑service | rsso | guest}
Enter the group type. <grp_type> determines the type of user:
firewall - FortiGate users defined in user local, user ldap or user radius
fsso-service - Single Sign On users
rsso - RADIUS SSO users
guest — guest users
firewall
http-digest-realm <realm_str>
Enter the realm attribute for MD5-digest authentication.
No default.
max-accounts <int>
When group-type is guest, set the maximum number of accounts permitted. 0 means unlimited. The maximum value that can be set depends on the platform.
0
member <names>
Enter the names of users, peers, LDAP servers, or RADIUS servers to add to the user group. Separate names by spaces. To add or remove names from the group you must re-enter the whole list with the additions or deletions required.
This field is available if group-type is firewall or fsso-service.
No default.
mobile-phone {enable | disable}
Enable or disable the mobile phone number field in the web-based manager Guest Management form. This is available if group-type is guest.
disable
multiple-guest-add {enable | disable}
Enable or disable the multiple guest add option in the web-based manager User Group form. This is available if group-type is guest.
disable
password {auto-generate | email | specify}
Select the source of the guest password:
auto-generate — create a random user ID
email — use the guest’s email address
specify — enter a user ID string
This is available if group-type is guest.
auto-generate
sponsor {disabled | mandatory | optional}
Select whether the sponsor field on the web-based manager Guest Management form should be disabled, mandatory or optional. This is available if group-type is guest.
optional
sslvpn-portal <web_portal_name>
Enter the name of the SSL-VPN portal for this group.
This is available if group-type is sslvpn.
No default.
sso-attribute-value <string>
Enter the name of the RADIUS user group this local user group represents.
No default.
user-id {auto-generate | email | specify}
Select the source of the guest user ID:
auto-generate — create a random user ID
email — use the guest’s email address
specify — enter a user ID string
This is available if group-type is guest.
email
user-name {enable | disable}
Enable or disable guest user name entry. This is available if group-type is guest.
disable
config guest fields
Configure guest users. This is available if group-type is guest.
 
<guest_id>
Enter the guest user ID.
No default.
company <company‑name_str>
Enter the user’s company name.
 
email <email-addr_str>
Enter the user’s email address.
 
expiration <expire‑time_str>
Enter the account expiration time.
 
mobile-phone <telnumber_str>
Enter the user’s user’s telephone number.
 
name <name_str>
Enter the user’s name.
 
password <pwd_str>
Enter the user’s password.
 
sponser <sponsor‑name_str>
Enter the user’s sponsor.
 
config match fields
Specify the user group names on the authentication servers that are members of this FortiGate user group. If no matches are specified, all users on the server can authenticate.
 
<match_id>
Enter an ID for the entry.
 
group-name <gname_str>
The name of the matching group on the remote authentication server.
 
rsso {enable | disable}
Enable or disable RADIUS single sign-on matching in this user group.
disable
server-name <srvname_str>
The name of the remote authentication server.