Can you configure RADIUS groups for FortiAnalyzer admins?

Hi,

Yes you can.

1) Create a radius profile: System Settings -> Admin -> Remote Auth Server

2) go to CLI and define the NAS-IP address to be the IP address to your FAZ:

 config sys admin radius

 edit <your radius name or press the TAB button>

 set nas-ip <the IP address of your FAZ>

 end

3) Create admin profile(s) under System Settings -> Admin -> Profile and choose what you want to allow or disable for the admin(s).

4) Create a new admin with the same name as you have it on the radius server. Set the type to your radius and choose the created radius server. DO NOT select the Wiledcard option. DO NOT fill the password. Choose the required profile for the admin and ADOM settings and click OK.

5) Repeat the step 4) for the other admins.

Log out from the analyzer and log in with the different admin account. Have a fun!

Remember: the admin name has to be an existing name that can be checked by the radius server. The password will be checked by the radius and grant access. According to the admin name the FAZ will choose the admin profile.

It is not a radius group but you have to configure each username on the FAZ.

Neon

you can define  access_profile attributes for the  clients, but the catch  the access-Profile needs to be configured on the  fortigate. Fortigate  supports like  6 or 8  Vendor Specific Attribute IIRC.

example;

# sample  radius user file w/ accprof

#

HQadmin   Crypt-Password == "$1$BbERshNY$.wcjjBzwe/i82ILJuajeWs/"

               User-Service-Type = Login-User

               Fortinet-Access-Profile =  admin_full

ENGadmin Crypt-Password == "$1$BEdsJWs$.xkueWldiwe/w62ILWkiuuSs/"

               User-Service-Type = Login-User

               Fortinet-Access-Profile =  adminrestricted

SOCgroup1 Cleartext-Password = "MySOCG3d4uejd"

               User-Service-Type = Login-User

               Fortinet-Access-Profile =  readonly

Just make sure  the Access Profile exists  or if  no you will locked out the user

Hi,

this solution seems to me more elegant. I tried to set this up but I have a problem.

I have 2 admin groups - Admin and Report-read-only.

All users from both groups can login but have the same permissions that is set under the wildecard admin profile.

I also enabled the radius-accprofile-override: enable

It seems that the FAZ not makes a difference between profile attributes.

The radius server is Windows 2008 R2 NPS policy server.

The FAZ is FAZ-VM 5.2.3 (trial version for testing in vmware player).

I set the vendor specific attribute to attribute 6:

## Fortinet’s VSA’s # VENDOR fortinet 12356 BEGIN-VENDOR fortinet ATTRIBUTE Fortinet-Group-Name 1 string ATTRIBUTE Fortinet-Client-IP-Address 2 ipaddr ATTRIBUTE Fortinet-Vdom-Name 3 string ATTRIBUTE Fortinet-Client-IPv6-Address 4 octets ATTRIBUTE Fortinet-Interface-Name 5 string ATTRIBUTE Fortinet-Access-Profile 6 string ## Integer Translations # END-VENDOR Fortinet

Great, can you debug the radius accept/response on that radius server?

I have little  experience on the MS radius and NP but I'm sure theire some debug method.  if you have a radtest  equal diagnostic command , you can try that also.

Hi,

Yes I did it. It is working now. The problem was with the Radius server where another network policy catched the authentication request and if the profile does not match the profile under admin user defined is applied.

Thank you for support.

Ηi all, Do you know if it is possible to configure TACACS for FortiAnalyzer? I tried to configure but authorization doesn 't work properly. thanks in advance! A.