Technical Tip: How to override administrator profile in FortiMail using RADIUS authentication (FortiAuthenticator)

The 'remote_wildcard' is an administrator account in which it is possible configured to use authentication profiles for LDAP or RADIUS servers, and all the accounts authenticated through this profile will be able to log in to the FortiMail as administrator.

By default, all the users authenticated through the RADIUS profile, will log in using the remote_wildcard account, and will have the same permissions (Admin Profile), but sometimes is needed to assign different permission levels, depending on user credentials. This can be achieved by enabling the option 'Enable remote access override' in the RADIUS Profile (Profile -> Authentication -> RADIUS:(

In this case, FortiMail is configured with the Admin Profiles adminprof1 and adminprof2 with different permission levels, to be assigned to different RADIUS users (raduser1 and raduser2):

After creating the profile, navigate to System -> Administrator and create a Wildcard Admin. The administrator account is assigned the super_admin_prof profile. When Enable Remote Access Override is configured, the default super_admin_prof will be replaced by adminprof1 or adminprof2, respectively, according to the configuration defined on the RADIUS server.

The RADIUS server should be configured to send an attribute (FortiMail is expecting attribute ID=6, Fortinet-Access-Profile - see Technical Tip: Fortinet's RADIUS Dictionary and VSAs (latest)), with the name of the Admin Profile to use.

In the FortiAuthenticator, add the RADIUS attribute accordingly to the Admin Profile required to each user:

When the users log in to the FortiMail, each one will be assigned the Admin Profile sent by the RADIUS Server, regardless of the Admin Profile assigned to the remote_wildcard account:

If a RADIUS user does not have the RADIUS attribute configured or the attribute does not match any existing Admin Profile, it will use the Admin Profile assigned to the remote_wildcard account.