Skip to main content
sthampi_FTNT
Staff
sthampi_FTNT
Staff
March 21, 2019

Technical Note: How to configure workflow approval matrix on FortiManager using remote radius admin

  • March 21, 2019
  • 0 replies
  • 3107 views
Description
The purpose of this document is to explain the configuration of Workflow approval matrix using one Radius server and 2 wildcard admins. One wildcard admin will be used for session creation and second wildcard admin will be used for session approval.

The scenario will be User A in Group A on Radius Server A will be able to approve sessions of User B in Group B on Radius Server A
Solution
The following explains how to configure and validate workflow approval matrix using remote radius admins



Configure only one Radius Server on the FortiManager


Create 2 Wildcard Admins using the same Radius Server: Win16

- First wildcard admin – Log_on_FMG which is part of Workflow approval Matrix
- Second wildcard admin – Log_on_FMG_2 which is not part of Workflow Approval Matrix

show sys admin user Log on FMG
config system admin user
     edit "Log on FMG"
        set profileid "Super_User"
        set adom "all adoms"
        set policy-package
        set user type radius
        set radius server "Win16"
            config meta-data
                edit "Contact Email"
                next
                edit "Contact Phone"
                next
            end
        set wildcard enable
        set ext-auth-accprofile—override enable
        set ext-auth-adom-override enable
        set ext-auth-group-match "fmg_faz_admin"
            config dashboard
                edit 1
                    set name "System Information"
                    set column 1
                    set refresh—interval O
                    set tabid 1
                    set widget—type sysinfo
                next

Configure extended attributes for Log_On_FMG_2, using Group match set to: Non_fmg_admin (We will later use this Vendor Specific Attribute on the Radius server Policy)

show sys admin user Log_On_FMG_2

config system admin user
    edit "Log_On_FMG_2"
        set profileid "Super_User"
        set adom "all adoms"
        set policy-package
        set user type radius
        set radius server "Win16"
        config meta—data
                edit "Contact Email"
                next
                edit "Contact Phone"
                next
        end
        set wildcard enable
        set ext-auth-accprofile—override enable
        set ext-auth-adom-override enable
        set ext-auth-group-match "Non_fmg_admin"
        config dashboard
                edit 1
                        set name "System Information"

Configure the windows radius server with 2 users:

- Username: fortinet , part of Group1 on Radius server
- Username: fortinet2, part of Group2 on Radius server

Configure 2 Policies on Radius server so when user logs in with fortinet username the radius server will send the following attributes: fmg_faz_admins, Super_User, root


When user logs in with username: fortinet2, radius server will send the following attributes: Non_fmg_admin, Super_User, root

Now login to the Fortimanager with username: fortinet2, and create a session and submit.

Now login to the FortiManager with username: fortinet, and approve the session created by fortinet2. 

Terms & ConditionsAccessibility statement