user : peer
 
peer
Use this command to add or edit peer (digital certificate holder) information. You use the peers you define here in the config vpn ipsec phase1 command if you specify peertype as peer. Also, you can add these peers to peer groups you define in the config user peergrp command.
For PKI user authentication, you can add or edit peer information and configure use of LDAP server to check access rights for client certificates.
This command refers to certificates imported into the FortiGate unit. You import CA certificates using the vpn certificate ca command. You import local certificates using the vpn certificate local command.
You can configure a peer user with no values in subject or ca. This user behaves like a user account or policy that is disabled.
 
If you create a PKI user in the CLI with no values in subject or ca, you cannot open the user record in the web‑based manager, or you will be prompted to add a value in Subject (subject) or CA (ca).
Syntax
config user peer
edit <peer_name>
set ca <ca_name>
set cn <cn_name>
set cn-type <type>
set ldap-mode {password | principal‑name}
set ldap-password <ldap_password>
set ldap-server <ldap_server>
set ldap-username <ldap_user>
set mandatory-ca-verify {enable | disable}
set ocsp-override-server <ocsp-name>
set passwd <password_str>
set subject <constraints>
set two-factor {enable | disable}
end
Variable
Description
Default
edit <peer_name>
Enter the peer name. Enter a new name to create a new peer or enter an existing peer name to edit that peer’s information.
 
ca <ca_name>
Enter the CA certificate name, as returned by execute vpn certificate ca list.
No default.
cn <cn_name>
Enter the peer certificate common name.
No default.
cn-type <type>
Enter the peer certificate common name type:
FQDN Fully-qualified domain name.
email — The user’s email address.
ipv4 — The user’s IP address (IPv4).
ipv6 — The user’s IP address (IPv6).
string — Any other piece of information.
string
ldap-mode {password | principal‑name}
Select mode for LDAP authentication.
password — use user name and password.
principal-name — use LDAP userPrincipalName attribute.
password
ldap-password <ldap_password>
Enter the login password for the LDAP server used to perform client access rights check for the defined peer.
No default.
ldap-server <ldap_server>
Enter the name of one of the LDAP servers defined under ‘config user ldap’ used to perform client access rights check for the defined peer.
null
ldap-username <ldap_user>
Enter the login name for the LDAP server used to perform client access rights check for the defined peer.
null
mandatory-ca-verify {enable | disable}
If the CA certificate is installed on the FortiGate unit, the peer certificate is checked for validity. The mandatory-ca-verify field determines what to do if the CA certificate is not installed:
enable — The peer cannot be authenticated.
disable — The peer certificate is automatically considered valid and authentication succeeds.
disable
ocsp-override-server <ocsp-name>
Enter the OCSP server to use to retrieve certificate. This applies if OCSP is enabled in vpn certificate setting.
null
passwd <password_str>
Enter the password that this peer uses for two-factor authentication. The is available when two-factor is enabled.
No default.
subject <constraints>
Optionally, enter any of the peer certificate name constraints.
No default.
two-factor {enable | disable}
Enable user to authenticate by password in addition to certificate authentication. Specify the password in passwd.
disable