Technical Tip: Overriding FortiGate administrator profiles using RADIUS authentication via FortiAuthenticator

The administrator's 'wildcard' account is manually defined by an administrator and can be configured to use external authentication servers. Users authenticated through external servers (such as LDAP or RADIUS) are considered wildcard administrators. Any user who successfully authenticates through the associated authentication profile is granted administrative access to the FortiGate.

By default, all users authenticated through a RADIUS authentication profile log in using the Wildcard administrator account. As a result, they inherit the same administrator profile and permission level assigned to Wildcard. This means all such users have identical administrative privileges, regardless of their individual credentials.

In scenarios where different users require different permission levels, FortiGate provides a mechanism to override this default behavior. This can be achieved by setting 'set accprofile-override enable'. When this option is enabled, FortiGate can dynamically assign administrator profiles based on attributes returned by the RADIUS server.

This allows granular control over administrative permissions, ensuring users receive access levels appropriate to their roles while still authenticating via a centralized RADIUS infrastructure.

RADIUS configuration:

RADIUS admin group 'Remote-AD-admins':

The default administrative profile, 'Engineering_Profile', is assigned to all remote wildcard administrator accounts:

config system admin
    edit "Wildcard"
        set remote-auth enable
        set accprofile "Engineering_Profile"
        set vdom "LAN" "MGMT" "root"
        set wildcard enable
        set remote-group "Remote-AD-admins"
        set accprofile-override enable
    next
end

The FortiAuthenticator user group 'Firewall Admin' contains two users: aduser1 and aduser2.

The objective is to assign the 'Engineering_Profile' admin profile to aduser2, while assigning the default 'super_admin' profile to aduser1.

This role assignment is enforced and overridden by FortiAuthenticator, regardless of the group-level configuration on FortiGate.

User aduser1 has the RADIUS attribute Fortinet-Access-Profile explicitly set to super_admin. During authentication, FortiGate receives this attribute via RADIUS and assigns the user the corresponding Super_Admin access profile.

User aduser2 does not have the Fortinet-Access-Profile RADIUS attribute configured. As a result, no role information is passed to FortiGate during authentication. In this case, FortiGate applies the default access profile, which is configured as Engineering_Profile, based on the RADIUS user/group mapping.

Note that the name of the accprofile needs to match what is returned in the RADIUS Attribute ID 'Fortinet-Access-Profile'.

In the capture snippet above, the returned value is 'Limited_Privilege', which does not match the profile 'Engineering_Profile'; hence, in this case, the profile would not be overridden.

Related articles:

• Technical Tip: Access using TACACS+ authentication with admin profile and group matching 
• Technical Tip: How to assign administrator profiles to Remote Wildcard Administrators using DUO Proxy and MFA