Fortigate MFA Mangement Query

Question

Hi All,

Query concerning MFA to Microsoft on the Fortigates for management access. We have a working solution but we have a slight problem which I can't seem to resolve.

We have 2 user groups for access to the Fortigates - Access-Write & Access-Read.

I configure management access on the fortigate given users access to make changes to the firewall if they are in Access-Write and Readonly access if in the Access-Read group.

This access is controlled by the Fortigate User Group Remote Group and Group name entry and the policies on the NPS server for this device group

The issue I have is when I turn on the MFA piece the MFA fails when I have a User Group group name specified - only when I use all groups does it work. That's okay but I lose the ability to seperate the Read and Write only grouping. I can move across a user between the Domain Read Only and Write Access group but they both have full write access.

How can I push a read-only and read/write policy from the NPS to the Fortigate so I can seperate these users without specifying the user group configuration.

Regards

Adrian

Debbie_FTNT · Answer

Hey Adrian,

it might be a bit tricky to have FortiGate assign admin profiles based on group membership. You could instead have the NPS send the admin profile as RADIUS attribute (the user could inherit the attribute based on group membership perhaps?). You can see more details here:
https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-Remote-admin-login-with-Radius-selecting-admin/ta-p/192308

- that uses a FortiAuthenticator as RADIUS server example, but you can just as well use an NPS, simply make sure the required VSAs are included, and you have enabled the radius override setting in the wildcard admin entry.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded