New Member

Solved

Help admin without super_admin permission

Forum|Forum|6 years ago
November 14, 2019
2 replies
15756 views

Hi,

I've a very huge problem about admin rights. I've a new costumer with a Fortigate firewall and i've reset the fortigate admin password(because they didn't had);.. but i still haven't the full super_admin permission.

In fact the account can't see Administrators profile and i figured out that the admin account is an prof_admin.

Is it possible to change an admin account from prof_admin to super admin?

In the past i've done with a backup config but i had the backup file. Now i've no config backups files and no way to backup or restore fortigate config with the prof_admin account. I'm also wondering if there is another hidden account as super_admin?

I'm very stuck in this bad situation and i can't do a factory reset.

Best answer by Toshi_Esumi

You need to be a "suer_admin" to make a user as a super_admin. If you don't have, or know the password for, any other super_admin users on the box, you need to go through the password recovering process you can find somewhere in this forum or on the internet. The "maintainer" user for the process must be a super_user so you can change anything you want to change.

Toshi_EsumiAnswer

SuperUser

You need to be a "suer_admin" to make a user as a super_admin. If you don't have, or know the password for, any other super_admin users on the box, you need to go through the password recovering process you can find somewhere in this forum or on the internet. The "maintainer" user for the process must be a super_user so you can change anything you want to change.

Micky182Author

New Member

Hi,

I've tried but from maintainer account o can't change the accprofile from pro_admin to super_admin because i get an the error -61. You think is possible from maintainer change the profile of other users?

Thank you very much,

Michele.

Dave_Hall

New Member

Try creating a temp admin account with super_admin rights. Then try logging into the fgt normally with this temp admin account.

e.g.

config system admin edit "temp_admin" set accprofile "super_admin" set password <password> next end

Alternately, see if you can perform a backup of the config to a USB stick (san password) and see if you can read it later (in a text editor) you should be able to edit/change/add the accprofile line to your admin account, save it as a new config and try uploading that via USB or via the GUI (following a factory reset). A word of caution about this approach as you need to be absolutely sure you have a couple of good backups of the config running on the fgt.

samuelheinrich

New Member

I know this is a very old thread but I run into the same issue, that for some reason one of our Fortigates had the "admin" access-profile set to "prof_admin" and there was no other "super_admin" configured.

since the fortigate was placed at the remote location, password reset was no options.

luckily I found a much better solution reset the accessprofile for the admin without the need of a password reset or reload!

all you need is a radius server, which is able to return the VSA "Fortinet-Access-Profile"

you can find a full list here: Fortinet VSA List

what you need todo then is:

- configure radius for authentication

- create or re-use an existing admin user for remote auth

- configure accprofile-override enable

- auth against the radius server

- return Fortinet-Access-Profile=super_admin

you should now have super_admin privs, which allow you to assign "super_admin" to any admin account

example config for remote auth:

config system admin
edit "RADIUS_ADMIN"
set remote-auth enable
set accprofile "dummy"
set vdom "root"
set wildcard enable
set remote-group "xxxx"
set accprofile-override enable
end

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded