Description

This article describes how to use RADIUS vendor-specific attributes in RADIUS wildcard authentication from Windows Network Policy Server (NPS) to give access to multiple ADOMs and assign different admin profiles based upon user membership in AD groups.

FortiAnalyzer and FortiManager only allow the definition of a single wildcard admin account, alternately the Vendor Specific Attributes (VSA) can indicate which ADOMs each user can access and with what level of privilege (through profile assignment).

Scope

This configuration is tested on FortiManager/FortiAnalyzer 5.4.3 and Windows Server 2008.

Solution

With RADIUS as an authentication server on Windows Server, it is possible to assign each AD group multiple ADOMs and profiles using RADIUS VSA.

Configuration.
RADIUS configuration on the FortiManager or FortiAnalyzer.

1. Create an Administrator of type RADIUS with wildcard enabled.
   1. Configure Remote Authentication Server.
      
      

       

   2. Create an Admin account.
                                              

From the CLI:

config system admin user
    edit "radiususer"
(radius)# set radius-accprofile-override enable
(radius)# set radius-adom-override enable
(radius)# end

Note: This setting will overwrite the ADOM and account profile that is configured in the FortiAnalyzer/FortiManager administrator account.

2. Create an admin profile.

3. Create an ADOM.

Configure Windows NPS (assumes users and groups are already present).

1. Add FortiAnalyzer/FortiManager as RADIUS clients.
   
   

2. Create Connection Request Policies.
   
   

   

    

3. Create a network policy with AD group - ‘group1’.
   
   

   

    

4. Add a custom VSA with vendor code 12356.
   
   

   

    

5. The VSA for ADOM is 3, string <ADOM-name> (it is possible to add multiple attributes to give the GROUP access to multiple ADOMs).
   
   

   

    

6. The VSA for the Administrator profile is 6, string <profile-name>.

   
   

    

7. Login to FortiManager/FortiAnalyzer using the RADIUS user (make sure to use the full domain e.g. MYDOMAIN\user).
                                              

Consider the following scenarios:

• A FortiManager has 2 ADOMs: ADOM1, ADOM2.
• Windows AD has 3 groups, g1, g2, g3.
• The FortiManager has two admin profiles:
  
  • p1: Read-only.
  • p2: Read Write, but RO access to Device Manager.
    
    

Scenario A - Give g1 and g2 access to ADOM1 read-only access.

• Add a network policy with:
  
  • A condition matching user groupsg1 and g2
  • A RADIUS config with a VSA number 3 and string ADOM1 and VSA number 6 with string p1.
    Result: Any user falling in g1 and g2 will get Read Only access to ADOM1.
    
    

Scenario B - Give g3 access to ADOM2 with Read Write but RO access to Device Manager.
Add a network policy with:

• A condition matching user group g3.
• A RADIUS config with a VSA number 3 and string ADOM2 and VSA number 6 with string p2.
  Result: Any user falling in g3 will get Read Write access to ADOM2 with read-only access to the device manager.
  
  

Note:

If the access profile RADIUS VSA is not specified then the user will get access to the admin profile mentioned in the Administrator.

Refer to the attached document for detailed configuration.