Users : Offloading HTTP authentication & authorization : Grouping users
 
Grouping users
To denote which set of people is authorized to request specific URLs when configuring HTTP authentication offloading, you must create user groups.
A user group can include a mixture of local end-user accounts, LDAP queries, RADIUS queries, and NTLM queries. Therefore, on FortiWeb, a user group could be set of accounts, or it could be a set of queries instead.
To configure a user group
1. Before you can configure a user group, you must first configure one or more local end-user accounts or queries to remote authentication servers. See:
“Configuring local end-user accounts”
“Configuring LDAP queries”
“Configuring RADIUS queries”
“Configuring NTLM queries”
To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Auth Users category. For details, see “Permissions”.
2. Go to User > User Group > User Group.
3. Click Create New.
A dialog appears.
4. In Name, type a name that can be referenced by other parts of the configuration. Do not use special characters. The maximum length is 35 characters.
5. In Auth Type, select one of the authentication types:
Basic — Clear text. This is the original and most compatible authentication scheme for HTTP. However, it is also the least secure as it sends the user name and password unencrypted to the server.
Digest — Encrypts the password and thus is more secure than the basic authentication.
NTLM — Uses a proprietary protocol of Microsoft and is considered to be more secure than basic authentication.
6. Click OK.
The Create New button for this item, below its name, will no longer be greyed out, indicating that it has become available.
7. Click Create New.
A dialog appears that enables you to add members to the group.
8. In User Type, select the type of user or user query you want to add to the group. Available options vary with the setting for the group’s Auth Type option.
You can mix user types in the group. However, if the authentication rule’s Auth Type does not support a given user type, all user accounts of that type will be ignored, effectively disabling them.
9. From User Name, select the name of an existing user account, LDAP query, or RADIUS query. Available options vary by your selection in User Type.
10. Click OK.
11. Repeat the previous steps for each user or query that you want to add to the group.
12. Select the user group in an authorization rule (see “Applying user groups to an authorization realm”).
See also
Configuring local end-user accounts
Configuring LDAP queries
Configuring RADIUS queries
Configuring NTLM queries
Offloading HTTP authentication & authorization