Chapter 3 Authentication for FortiOS 5.0 : Users and user groups : User groups : Firewall user groups : Configuring a firewall user group
  
Configuring a firewall user group
A user group can contain:
local users, whether authenticated by the FortiGate unit or an authentication server
PKI users
FSSO users - see “Creating Fortinet Single Sign-On (FSSO) user groups”
authentication servers, optionally specifying particular user groups on the server
To create a Firewall user group - web-based manager
1. Go to User & Device > User > User Groups and select Create New.
2. Enter a name for the user group.
3. In Type, select Firewall.
4. From the Available Users list, select users and then select the right arrow button to move the names to the Members list.
If you select an authentication server as a group member, by default all user accounts on the authentication server are members of this FortiGate user group. Follow steps 5 through 8 if you want to include only specific user groups from the authentication server. Otherwise, select OK.
5. Select Add.
6. To add a remote authentication server, select Add and select the authentication server from the drop down Remote Server list.
The option to add remote servers is available only if at least one remote server has been configured.
7. In the Group Name field, either select Any to match all possible groups, or select Specify and enter the group name in the appropriate format for the type of server.
For example, an LDAP server requires LDAP format, such as: cn=users,dn=office,dn=example,dn=com
8. Repeat steps 5 through 7 to add all the authentication server user groups that are required.
9. Select OK.
To create a firewall user group - CLI example
In this example, the members of accounting_group are User1 and all of the members of rad_accounting_group on myRADIUS external RADIUS server.
config user group
edit accounting_group
set group-type firewall
set member User1 myRADIUS
config match
edit 0
set server-name myRADIUS
set group-name rad_accounting_group
end
end
 
Matching user group names from an external authentication server might not work if the list of group memberships for the user is longer than 8000 bytes. Group names beyond this limit are ignored.
server_name is the name of the RADIUS, LDAP, or TACACS+ server, but it must be a member of this group first and must also be a configured remote server on the FortiGate unit.
group_name is the name of the group on the RADIUS, LDAP, or TACACS+ server such as “engineering” or “cn=users,dc=test,dc=com”.
Before using group matching with TACACS+, you must first enable authentication. For example if you have a configured TACACS+ server called myTACS, use the following CLI commands.
config user tacacs+
edit myTACS
set authorization enable
next
end
For more information about user group CLI commands, see the Fortinet CLI Guide.