Skip to main content
andre_crc-REPLY
andre_crc-REPLY
New Member
March 5, 2026
Solved

Remote admin SSH + RADIUS/FAC: authentication triggered only for accprofile super_admin

  • March 5, 2026
  • 6 replies
  • 811 views

I’m trying to configure remote administrator access via SSH on a FortiGate using RADIUS (FortiAuthenticator), where the admin privileges on the FortiGate depend on the user’s Fortinet VSA (e.g. Attribute: Fortinet-Group-Name, value: ADMIN_FORTIGATE) and corresponding remote-group mapping.

Goal: allow different remote admins to log in via SSH with different admin access profiles, for example a read-only admin using the built-in super_admin_readonly (or a custom read-only accprofile).

I noticed that:

  • If the admin entry is configured with set accprofile "super_admin", SSH login works and the FortiGate does send RADIUS Access-Request to FAC.
  • If the same admin is configured with any other accprofile , SSH login fails with a generic Failed password, and no RADIUS traffic is generated at all.

So, it looks like remote admin authentication via SSH is only triggered when the admin has accprofile = super_admin, while non-super_admin profiles do not even reach RADIUS.

So, my questions are:

  1. Is it expected that remote admin SSH + RADIUS works only with accprofile super_admin?
  2. If not, is there a known setting/feature/bug that would cause RADIUS not to be invoked for remote admins with super_admin_readonly (or custom profiles)?

Environment:

  • FortiGate-VM (KVM/QEMU lab)
  • FortiOS versions tested: 7.6.x and 7.2.x (same behavior)
  • RADIUS server: FortiAuthenticator
  • remote-auth enable on admins and remote-group configured

6 replies

Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
March 8, 2026

Hello andre_crc-REPLY, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

Jean-Philippe - Fortinet Community Team
Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
March 9, 2026

Hello,

 

We are still looking for an answer to your question.

 

We will come back to you ASAP.

Jean-Philippe - Fortinet Community Team
funkylicious
SuperUser
funkylicious
SuperUser
March 9, 2026

try adding under system admin ,


set accprofile-override enable

"jack of all trades, master of none"
andre_crc-REPLY
andre_crc-REPLYAuthor
New Member
March 9, 2026

Thank you for the answer!

Unfortunately, it doesn't solve the issue, I still face the same problem.

funkylicious
SuperUser
funkylicious
SuperUser
March 9, 2026

can you share the user group and system admin configuration ?

please sanitize any sensitive information from them.

"jack of all trades, master of none"
sw2090
SuperUser
sw2090
SuperUser
March 9, 2026

hm this works fine here. We just use different radius groups for the users and the admin profile is tied to the usergroup not the user itself.

Works here in Webinterface as in ssh.

sw2090
SuperUser
sw2090
SuperUser
March 10, 2026

hm I just created the usergroups. They should have the same name on the FGT as they have at the FAC. The group has no members but has a Remote Authentication Server set to our FAC with the corrsponding radius usergroup.

Then in System=>Administrators the Group is set to an admin profile and set to type "remote User + wildcard". This means its set to match all users on remote server group amd ot has the admin profile amd the remote user group.

 

I have 6 Radius usergroups with three different admin profiles set this way and they work fine with our FAC...

andre_crc-REPLY
andre_crc-REPLYAuthor
New Member
March 10, 2026

Thank you very much @funkylicious @sw2090 @Toshi_Esumi .

Following this guide you suggested and your directions I achieved my goal using the Web Interface.

Terms & ConditionsAccessibility statement