Skip to main content
felicio
felicio
Explorer
February 27, 2019
Question

RADIUS Admin logon on FAC

  • February 27, 2019
  • 1 reply
  • 4396 views

To keep the administrative accounts isolated from users account we are using an additional/2nd FAC in the DMZ. We are looking forward to using an internal FAC to authenticate administrative users logons in the DMZ FAC, but the typical Super-User value in Fortinet-FPC-User-Role/Fortinet-Access-Profile RADIUS VSA isn't working (the user logs as regular/non-administrative one).

 

Does anyone know what it's necessary to get this working?

 

Regards,

 

Felicio Santos.

    1 reply

    xsilver_FTNT
    Staff
    xsilver_FTNT
    Staff
    February 27, 2019

    AFAIK there are no remote admin account types on FAC (as we know them for example from FortiGate remote/wildcard admins).

    FAC has local admins defined in Local Users (User Management) with Role=Administrator.

    By default those admins do not even has ability to be used and authenticate via RADIUS from outside, so they are completely local into FAC itself.

    Carl_Windsor_FTNT
    Staff
    Carl_Windsor_FTNT
    Staff
    February 27, 2019

    This should possible if the user is not set to be a FAC Admin as above.  Take a look at this integration guide I wrote a while back

     

    If you follow this process and it still doesn't work, check the RADIUS attributes are being sent by sniffing the RADIUS (you will need to decrypt the RADIUS packets in Wireshark

    [ol]
  • Capture RADIUS authentication traffic in wireshark
  • Go to Edit > Preferences.
  • Click the + next to Protocols to expand the tree.
  • Scroll down and select RADIUS.
  • Enter the RADIUS shared secret and click Apply.
  • You should now see the full RADIUS transaction in plaintext now[/ol]

     

    • felicio
    felicioAuthor
    Explorer
    March 18, 2019

    Hi,

     

    Thanks for the reply!

     

    It only worked if created in advance a "remote user" with admin privileges. I was looking to have in the FAC a functionality like a wildcard admin on FGT. Even TAC didn't find out how to make it work, so I will go with the remote user manual creation and look forward if this pops up on a future FAC release.

    Regards,

     

    Felicio Santos.

    Terms & ConditionsAccessibility statement