Chapter 4 Authentication : Users and user groups : Users : Local and remote users
  
Local and remote users
Local and remote users are defined on the FortiGate unit in User & Device > User > User Definition.
Create New
Creates a new user account. When you select Create New, you are automatically redirected to the User Creation Wizard.
Edit User
Modifies a user’s account settings. When you select Edit, you are automatically redirected to the Edit User page.
Delete
Removes a user from the list. Removing the user name removes the authentication configured for the user.
The Delete icon is not available if the user belongs to a user group.
To remove multiple local user accounts from within the list, on the User page, in each of the rows of user accounts you want removed, select the check box and then select Delete.
To remove all local user accounts from the list, on the User page, select the check box in the check box column and then select Delete.
User Name
The user name. For a remote user, this username must be identical to the username on the authentication server.
Type
Local indicates a local user authenticated on the FortiGate unit. For remote users, the type of authentication server is shown: LDAP, RADIUS, or TACACS+.
Two-factor Authentication
Indicates whether two-factor authentication is configured for the user.
Ref.
Displays the number of times this object is referenced by other objects. Select the number to open the Object Usage window and view the list of referring objects. The list is grouped into expandable categories, such as Firewall Policy. Numbers of objects are shown in parentheses.
To view more information about the referring object, use the icons:
View the list page for these objects – available for object categories. Goes to the page where the object is listed. For example, if the category is User Groups, opens User Groups list.
Edit this object – opens the object for editing. modifies
View the details for this object – displays current settings for the object.
To create a local or remote user account - web-based manager
1. Go to User & Device > User > User Definition and select Create New.
2. On the Choose User Type page select:
Local User
Select to authenticate this user using a password stored on the FortiGate unit.
Remote RADIUS User
Remote TACACS+ User
Remote LDAP User
To authenticate this user using a password stored on an authentication server, select the type of server and then select the server from the list. You can select only a server that has already been added to the FortiGate unit configuration.
For more information, see
3. Select Next and provide user authentication information.
For a local user, enter the User Name and Password.
For a remote user, enter the User Name and the server name.
4. Select Next and enter Contact Information.
If email or SMS is used for two-factor authentication, provide the email address or SMS cell number at which the user will receive token password codes. If a custom SMS service is used, it must already be configured in System > Config > Messaging Servers. See “FortiToken”.
5. Select Next, then on the Provide Extra Info.page enter
Two-factor Authentication
Select to enable two-factor authentication. Then select the Token (FortiToken or FortiToken Mobile) for this user account. See “Associating FortiTokens with accounts”.
User Group
Select the user groups to which this user belongs.
6. Select Create.
 
 
To create a local user - CLI example
Locally authenticated user
config user local
edit user1
set type password
set passwd ljt_pj2gpepfdw
end
To create a remote user - CLI example
config user local
edit user2
set type ldap
set ldap_server ourLDAPsrv
end
For a RADIUS or TACACS+ user, set type to radius or tacacs+, respectively.
To create a user with FortiToken Mobile two-factor authentication - CLI example
config user local
edit user5
set type password
set passwd ljt_pj2gpepfdw
set two_factor fortitoken
set fortitoken 182937197
end
Remote users are configured for FortiToken two-factor authentication similarly.
To create a user with email two-factor authentication - CLI example
config user local
edit user6
set type password
set passwd ljt_pj4h7epfdw
set two_factor email
set email-to user6@sample.com
end
Remote users are configured for FortiToken two-factor authentication similarly.
To create a user with SMS two-factor authentication - CLI example
config system sms-server
edit “Sample Mobile Inc”
set mail-server mail.sample.com
end
 
config user local
edit user7
set type password
set passwd 3ww_pjt68dw
set two_factor sms
set sms-server custom
set sms-custom-server “Sample Mobile Inc”
set sms-phone 2025551234
end