user : local
 
local
Use this command to add local user names and configure user authentication for the FortiGate unit. To add authentication by LDAP or RADIUS server you must first add servers using the config user ldap and config user radius commands.
Syntax
config user local
edit <username>
set auth-concurrent-override {enable | disable}
set auth-concurrent-value <limit_int>
set ldap-server <servername>
set passwd <password_str>
set passwd-policy <policy_name>
set passwd-time <time_str>
set radius-server <servername>
set sms-custom-server <srv_name>
set sms-phone <phone_str>
set sms-server {fortiguard | custom}
set status {enable | disable}
set tacacs+-server <servername>
set two-factor {disable | fortitoken | email | sms}
set type <auth-type>
set workstation <name_str>
end
Variable
Description
Default
edit <username>
Enter the user name. Enter a new name to create a new user account or enter an existing user name to edit that account.
 
auth-concurrent-override {enable | disable}
Enable to override the policy-auth-concurrent setting in system global.
disable
auth-concurrent-value <limit_int>
Set the number of concurrent logins permitted from the same IP address. Range 1 to 100. 0 means no limit. This field is available if auth-concurrent-override is enabled.
0
ldap-server <servername>
Enter the name of the LDAP server with which the user must authenticate. You can only select an LDAP server that has been added to the list of LDAP servers. See “ldap”.
This is available when type is set to ldap.
No default.
passwd <password_str>
Enter the password with which the user must authenticate. Passwords at least 6 characters long provide better security than shorter passwords.
This is available when type is set to password.
No default.
passwd-policy <policy_name>
Optionally, select a password policy to apply to this user. Use user password-policy to create password policies.
null
passwd-time <time_str>
The time of last password update. (Read only).
No default.
radius-server <servername>
Enter the name of the RADIUS server with which the user must authenticate. You can only select a RADIUS server that has been added to the list of RADIUS servers. See “radius”.
This is available when type is set to radius.
No default.
sms-custom-server <srv_name>
Enter the custom server to use for SMS-based two-factor authentication. The server name must be defined first using the config system sms-server command. This field is available when two-factor is sms and sms-server is custom.
No default.
sms-phone <phone_str>
Enter the user’s phone number for SMS-based two-factor authentication.
No default.
sms-server {fortiguard | custom}
Select FortiGuard or custom SMS server for SMS-based two-factor authentication. This field is available when two‑factor is sms.
fortiguard
status {enable | disable}
Enter enable to allow the local user to authenticate with the FortiGate unit.
enable
tacacs+-server <servername>
Enter the name of the TACACS+ server with which the user must authenticate. You can only select a TACACS+ server that has been added to the list of TACACS+ servers. See “tacacs+”.
This is available when type is set to tacacs+.
No default.
two-factor {disable | fortitoken | email | sms}
Enable two-factor authentication through FortiToken, email, or SMS.
disable
type <auth-type>
Enter one of the following to specify how this user’s password is verified:
ldap — The LDAP server specified in ldap‑server verifies the password.
password — The FortiGate unit verifies the password against the value of passwd.
radius — The RADIUS server specified in radius‑server verifies the password.
tacacs+ — The TACACS+ server specified in tacacs+‑server verifies the password.
No default.
workstation <name_str>
Enter the user’s workstation name if you want to permit the user to authenticate only from a particular workstation. This is available when type is ldap.
null