Chapter 4 Authentication : Users and user groups : User groups : Firewall user groups : Configuring a firewall user group
  
Configuring a firewall user group
A user group can contain:
local users, whether authenticated by the FortiGate unit or an authentication server
PKI users
FSSO users - see “Creating Fortinet Single Sign-On (FSSO) user groups”
authentication servers, optionally specifying particular user groups on the server
To create a Firewall user group - web-based manager
1. Go to User & Device > User > User Groups and select Create New.
2. Enter a name for the user group.
3. In Type, select Firewall.
4. Add user names to to the Members list.
5. Add authentication servers to the Remote groups list.
By default all user accounts on the authentication server are members of this FortiGate user group. To include only specific user groups from the authentication server, deselect Any and enter the group name in the appropriate format for the type of server. For example, an LDAP server requires LDAP format, such as: cn=users,dn=office,dn=example,dn=com
Remote servers must already be configured in User & Device > Authentication.
6. Select OK.
To create a firewall user group - CLI example
In this example, the members of accounting_group are User1 and all of the members of rad_accounting_group on myRADIUS external RADIUS server.
config user group
edit accounting_group
set group-type firewall
set member User1 myRADIUS
config match
edit 0
set server-name myRADIUS
set group-name rad_accounting_group
end
end
 
Matching user group names from an external authentication server might not work if the list of group memberships for the user is longer than 8000 bytes. Group names beyond this limit are ignored.
server_name is the name of the RADIUS, LDAP, or TACACS+ server, but it must be a member of this group first and must also be a configured remote server on the FortiGate unit.
group_name is the name of the group on the RADIUS, LDAP, or TACACS+ server such as “engineering” or “cn=users,dc=test,dc=com”.
Before using group matching with TACACS+, you must first enable authentication. For example if you have a configured TACACS+ server called myTACS, use the following CLI commands.
config user tacacs+
edit myTACS
set authorization enable
next
end
For more information about user group CLI commands, see the Fortinet CLI Guide.