Local and remote users

Local and remote users

Local and remote users are defined on the FortiGate unit in User & Device > User > User Definition.

Create New    Creates a new user account. When you select Create New, you are automatically redirected to the User Creation Wizard.

Edit User    Modifies a user’s account settings. When you select Edit, you are automatically redir- ected to the Edit User page.

Delete     Removes a user from the list. Removing the user name removes the authentication configured for the user.

The Delete icon is not available if the user belongs to a user group.

To remove multiple local user accounts from within the list, on the User page, in each of the rows of user accounts you want removed, select the check box and then select Delete.

To remove all local user accounts from the list, on the User page, select the check box in the check box column and then select Delete.

User Name     The user name. For a remote user, this username must be identical to the username on the authentication server.

Type         Local indicates a local user authenticated on the FortiGate unit. For remote users, the type of authentication server is shown: LDAP, RADIUS, or TACACS+.

Two-factor

Authentication         Indicates whether two-factor authentication is configured for the user.

Ref.            Displays the number of times this object is referenced by other objects. Select the number to open the Object Usage window and view the list of referring objects. The

list is grouped into expandable categories, such as Firewall Policy. Numbers of objects are shown in parentheses.

To view more information about the referring object, use the icons:

  • View the list page for these objects – available for object categories. Goes to the page where the object is listed. For example, if the category is User Groups, opens User Groups list.
  • Edit this object – opens the object for editing.
  • View the details for this object – displays current settings for the object.

 

To create a local or remote user account – web-based manager:

1. Go to User & Device > User > User Definition and select Create New.

2. On the Choose User Type page select:

Local User                                 Select to authenticate this user using a password stored on the FortiGate unit.

Remote RADIUS User Remote TACACS+ User Remote LDAP User

To authenticate this user using a password stored on an authentication server, select the type of server and then select the server from the list. You can select only a server that has already been added to the FortiGate unit configuration.

3. Select Next and provide user authentication information.

For a local user, enter the User Name and Password.

For a remote user, enter the User Name and the server name.

4. Select Next and enter Contact Information.

If email or SMS is used for two-factor authentication, provide the email address or SMS cell number at which the user will receive token password codes. If a custom SMS service is used, it must already be configured in System

Config > Advanced >SMS Service. See FortiToken on page 481.

5. Select Next, then on the Provide Extra Info page enter

 

Two-factor Authentication       Select to enable two-factor authentication. Then select the Token (FortiToken or FortiToken Mobile) for this user account. See Associating FortiTokens with accounts on page 485.

User Group                                Select the user groups to which this user belongs.

6. Select Create.

 

To create a local user – CLI example:

Locally authenticated user

config user local edit user1

set type password

set passwd ljt_pj2gpepfdw end

 

To create a remote user – CLI example:

config user local edit user2

set type ldap

set ldap_server ourLDAPsrv end

For a RADIUS or TACACS+ user, set type to radius or tacacs+, respectively.

 

To create a user with FortiToken Mobile two-factor authentication – CLI example:

config user local

edit user5

set type password

set passwd ljt_pj2gpepfdw set two_factor fortitoken set fortitoken 182937197

end

Remote users are configured for FortiToken two-factor authentication similarly.

 

To create a user with SMS two-factor authentication using FortiGuard messaging Service – CLI example:

config user local edit user6

set type password

set passwd 3ww_pjt68dw set two_factor sms

set sms-server fortiguard set sms-phone 1365984521

end

 

Removing users

Best practices dictate that when a user account is no longer in use, it should be deleted. Removing local and remote users from FortiOS involve the same steps.

If the user account is referenced by any configuration objects, those references must be removed before the user can be deleted. See Removing references to users on page 477.

To remove a user from the FortiOS configuration – web-based manager:

1. Go to User & Device > User > User Definition.

2. Select the check box of the user that you want to remove.

3. Select Delete.

4. Select OK.

 

To remove a user from the FortiOS configuration – CLI example:

config user local delete user4444

end

 

Removing references to users

You cannot remove a user that belongs to a user group. Remove the user from the user group first, and then delete the user.

 

To remove references to a user – web-based manager

1. Go to User & Device > User > User Definition.

2. If the number in the far right column for the selected user contains any number other than zero, select it.

3. A more detailed list of object references to this user is displayed. Use its information to find and remove these references to allow you to delete this user.

 

This entry was posted in FortiOS 5.4 Handbook on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

4 thoughts on “Local and remote users

  1. AldenChevez

    Hi! I have a small customer (around 50 employees) we want to use captive portal to authenticate local users through WiFi. Is there a way to upload a CSV file (or similar) with all the information? One more question.. Once users are authenticated, how long does the session last? I mean how long does it take for them to authenticate again? Is this configurable? Thanks in advance Guru!

    Reply
    1. Mike Post author

      I have never used a CSV though you can script the process through the CLI. create a demo user and then backup the config. Find the user reference in the config file and replicate that CLI command for the employees. For 50 employees you could probably manually script it in 5 minutes or so.

      The time before expiration of authentication can be edited on the Gate itself. So it is up to you.

      Reply
    1. Mike Post author

      People use the FortiToken and FortiAuthenticator for multi factor a lot. I used authlite but you damn near had to hack the AD setup to make it work.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.