Skip to main content
colivero
Staff
colivero
Staff
August 1, 2018

Technical Tip: FortiGate: Admin login with remote RADIUS and VDOM access profile

  • August 1, 2018
  • 0 replies
  • 6293 views
Description

 

The article describes how to modify VDOM attribute while login as a Remote admin user in FortiGate.

 

Scope

 

FortiGate, FortiAuthenticator.

 

Solution

 

For example: 

 

tbarua_0-1730994435637.png

 

  • Configure the RADIUS server to send the appropriate vendor-specific attributes (VSAs). 

Ensure that the RADIUS server is configured to send the appropriate vendor-specific attributes (VSA). 

 

In order to send a specific group membership and access profile, VDOM VSA 1, VSA 6, and VSA 3 must be set.

 

VENDOR fortinet 12356
ATTRIBUTE Fortinet-Group-Name       1   string
ATTRIBUTE Fortinet-Access-Profile   6   string

ATTRIBUTE   Fortinet-Vdom-Name     3 string

 

In this example:

 

Attribute 1 is set to remote_admins.
Attribute 6 is set to Super_admin.

Attribute 3 is set to vdomtest1

 

A list of all of Fortinet's VSA is available in this article: Technical Tip: Fortinet's RADIUS Dictionary and VSAs (latest).

 

tbarua_1-1730994436650.png

 

  • Create a User group on FortiGate.

Go to User & Device -> User -> User group and create a Firewall group. 

Create a New Remote Server and add the RADIUS Server. 

In the group's field, include the string that was configured as attribute 1 on the RADIUS server. 
In this example, the string used was ‘group’.

 

Name: Remote_Admin
Remote group: 
Remote Server: fac.fortiad.net
Group Name: group

 

tbarua_2-1730994435707.png

 

  • It is mandatory to have VDOM set up as a prerequisite for this example. See the related article on how to set up VDOM in FortiGate. 

 

Next steps:

Create an admin user in FortiGate:

  1. Go to System -> Administrators -> Create new -> Select Administrators.
  2. Create a new admin with the type 'Match all users in a remote server group'.
  3. Select the User Group.
  4. Select the super_admin profile as an Administrator profile.

tbarua_3-1730994437288.png

 

config system admin
    edit "admin_it"
        set radius-vdom-override enable  <---- 
end

 

This command must be enabled, as it is only available in the CLI. The VDOM override function will not work unless this command is enabled

 

Log in to FortiGate using the new RADIUS user.

 

tbarua_4-1730994436691.png

 

FortiAuthenticator debug will show the RADIUS attribute for the specific VDOM:

 

22024-11-04T17:37:22.498844+02:00 fac radiusd[3512]: (7) Sent Access-Accept Id 58 from 192.168.2.100:1812 to 192.168.2.254:18184 length 87
2024-11-04T17:37:22.498875+02:00 fac radiusd[3512]: (7) Message-Authenticator := 0x00
2024-11-04T17:37:22.498885+02:00 fac radiusd[3512]: (7) Fortinet-Group-Name += "group"
2024-11-04T17:37:22.498895+02:00 fac radiusd[3512]: (7) Fortinet-Access-Profile += "super_admin"
2024-11-04T17:37:22.498912+02:00 fac radiusd[3512]: (7) Fortinet-Vdom-Name += "vdomtest1"

 

Related document:

Multi VDOM configuration examples

Terms & ConditionsAccessibility statement