Technical Tip: Explanation of 'Match all users on remote server' setting
Description
This article describes 'Match all users on remote server' administrator settings on FortiManager and FortiAnalyzer.
Scope
FortiAnalyzer.
Solution
- Given local users a.admin, b.admin and c.admin with RADIUS enabled on FortiAuthenticator:
- On FortiAnalyzer, a remote authentication server named 'FAC' is created and a new administrator 'FAC' is created with 'Match all users on remote server' enabled.
- Note that 'a.admin' and 'b.admin' will be able to log in to FortiAnalyzer and get assigned to the 'FAC' admin template.
FAZVM64 # diagnose system admin-session list
*** entry 0 ***
session_id: 35411 (seq: 0)
username: a.admin
admin template: FAC
from: GUI(192.168.244.169) (type 0)
profile: Super_User (type 3)
adom: root
session length: 170 (seconds)
*** entry 1 ***
session_id: 10077 (seq: 0)
username: b.admin
admin template: FAC
from: GUI(192.168.244.169) (type 1)
profile: Super_User (type 3)
adom: root
session length: 19 (seconds)
idle: 5 (seconds)
*** entry 0 ***
session_id: 35411 (seq: 0)
username: a.admin
admin template: FAC
from: GUI(192.168.244.169) (type 0)
profile: Super_User (type 3)
adom: root
session length: 170 (seconds)
*** entry 1 ***
session_id: 10077 (seq: 0)
username: b.admin
admin template: FAC
from: GUI(192.168.244.169) (type 1)
profile: Super_User (type 3)
adom: root
session length: 19 (seconds)
idle: 5 (seconds)
- If a new administrator is created, set up 'a.admin' with a Standard_User profile and specify access to 'a_adom' only. Select 'Match all users on remote server'.
- When login with 'a.admin', the admin profile will still be 'Super_User' and it can access to all ADOMs.
*** entry 1 ***
session_id: 541 (seq: 0)
username: a.admin
admin template: FAC
from: GUI(192.168.244.169) (type 1)
profile: Super_User (type 3)
adom: root
session length: 152 (seconds)
idle: 39 (seconds)
session_id: 541 (seq: 0)
username: a.admin
admin template: FAC
from: GUI(192.168.244.169) (type 1)
profile: Super_User (type 3)
adom: root
session length: 152 (seconds)
idle: 39 (seconds)
- Uncheck 'Match all users on remote server' for 'a.admin'. 'a.admin' will be assigned to the 'a.admin' admin template and will only be able to access 'a_adom'.
*** entry 1 ***
session_id: 17948 (seq: 0)
username: a.admin
admin template: a.admin
from: GUI(192.168.244.169) (type 1)
profile: Standard_User (type 2)
adom: a_adom
session length: 86 (seconds)
idle: 62 (seconds)
session_id: 17948 (seq: 0)
username: a.admin
admin template: a.admin
from: GUI(192.168.244.169) (type 1)
profile: Standard_User (type 2)
adom: a_adom
session length: 86 (seconds)
idle: 62 (seconds)
- 'b.admin' and 'c.admin' can still log in and be assigned with the 'Super_User' profile.
*** entry 2 ***
session_id: 29427 (seq: 0)
username: b.admin
admin template: FAC
from: GUI(192.168.244.169) (type 1)
profile: Super_User (type 3)
adom: root
session length: 59 (seconds)
idle: 37 (seconds)
*** entry 3 ***
session_id: 47111 (seq: 0)
username: c.admin
admin template: FAC
from: GUI(192.168.244.169) (type 1)
profile: Super_User (type 3)
adom: root
session length: 15 (seconds)
idle: 6 (seconds)
session_id: 29427 (seq: 0)
username: b.admin
admin template: FAC
from: GUI(192.168.244.169) (type 1)
profile: Super_User (type 3)
adom: root
session length: 59 (seconds)
idle: 37 (seconds)
*** entry 3 ***
session_id: 47111 (seq: 0)
username: c.admin
admin template: FAC
from: GUI(192.168.244.169) (type 1)
profile: Super_User (type 3)
adom: root
session length: 15 (seconds)
idle: 6 (seconds)
- Next, create a new administrator 'FAC_restricted' with the admin profile 'Restricted_User' and specify access to the 'root' ADOM only.
- Note that 'b.admin' and 'c.admin' will still be assigned to the 'FAC' admin template.
*** entry 1 ***
session_id: 13225 (seq: 0)
username: b.admin
admin template: FAC
from: GUI(192.168.244.169) (type 1)
profile: Super_User (type 3)
adom: root
session length: 48 (seconds)
idle: 36 (seconds)
*** entry 2 ***
session_id: 47175 (seq: 0)
username: c.admin
admin template: FAC
from: GUI(192.168.244.169) (type 1)
profile: Super_User (type 3)
adom: root
session length: 34 (seconds)
idle: 20 (seconds)
session_id: 13225 (seq: 0)
username: b.admin
admin template: FAC
from: GUI(192.168.244.169) (type 1)
profile: Super_User (type 3)
adom: root
session length: 48 (seconds)
idle: 36 (seconds)
*** entry 2 ***
session_id: 47175 (seq: 0)
username: c.admin
admin template: FAC
from: GUI(192.168.244.169) (type 1)
profile: Super_User (type 3)
adom: root
session length: 34 (seconds)
idle: 20 (seconds)
- 'FAC_restricted' is moved above 'FAC'.
- Note that 'b.admin' and 'c.admin' will now be assigned to the 'FAC_restricted' admin template and can only access the 'root' ADOM. 'a.admin' will still be assigned to the 'a.admin' template.
*** entry 1 ***
session_id: 755 (seq: 0)
username: a.admin
admin template: a.admin
from: GUI(192.168.244.169) (type 1)
profile: Standard_User (type 2)
adom: a_adom
session length: 77 (seconds)
idle: 63 (seconds)
*** entry 2 ***
session_id: 1727 (seq: 0)
username: b.admin
admin template: FAC_restricted
from: GUI(192.168.244.169) (type 1)
profile: Restricted_User (type 1)
adom: root
session length: 63 (seconds)
idle: 4 (seconds)
*** entry 3 ***
session_id: 16953 (seq: 0)
username: c.admin
admin template: FAC_restricted
from: GUI(192.168.244.169) (type 1)
profile: Restricted_User (type 1)
adom: root
session length: 47 (seconds)
idle: 4 (seconds)
session_id: 755 (seq: 0)
username: a.admin
admin template: a.admin
from: GUI(192.168.244.169) (type 1)
profile: Standard_User (type 2)
adom: a_adom
session length: 77 (seconds)
idle: 63 (seconds)
*** entry 2 ***
session_id: 1727 (seq: 0)
username: b.admin
admin template: FAC_restricted
from: GUI(192.168.244.169) (type 1)
profile: Restricted_User (type 1)
adom: root
session length: 63 (seconds)
idle: 4 (seconds)
*** entry 3 ***
session_id: 16953 (seq: 0)
username: c.admin
admin template: FAC_restricted
from: GUI(192.168.244.169) (type 1)
profile: Restricted_User (type 1)
adom: root
session length: 47 (seconds)
idle: 4 (seconds)
Note: The order of remote users for which the 'Match all users on remote server' option is enabled is very important.
Make sure to check the order by running the CLI command get/show system admin user. The order visible in the GUI may differ from the actual one in the CLI.
- In conclusion, FortiManager / FortiAnalyzer will first match the exact same username specified on the LDAP server (if 'Match all users on remote server' is not selected).
After, it will match all users specified in the Distinguished Name filed in the remote server from top to bottom (if 'Match all users on remote server' is selected).