Purpose
This article explains how to use RADIUS vendor specific attributes in RADIUS wildcard authentication from Windows Network Policy Server (NPS) to give access to multiple ADOMs and assign different admin profiles based upon user membership in a AD groups.
FortiAnalyzer and FortiManager only allow the definition of a single wildcard admin account, alternately the Vendor Specific Attributes (VSA) can indicate which ADOMs each user can access and with what level of privilege (through profile assignment).
Scope
This configuration is tested on FortiManager/FortiAnalyzer 5.4.3 and Windows Server 2008
Expectations, Requirements
Configuration
RADIUS configuration on the FortiManager or FortiAnalyzer
1. Create an Administrator of type RADIUS with wildcard enabled.
a. Configure Remote Authentication Server
From the CLI:
2. Create an admin profile
3. Create an ADOM
Configure Windows NPS (assumes users and groups are already present)
1. Add FortiAnalyzer/FortiManager as RADIUS clients
2. Create Connection Request Policies
3. Create a network policy with AD group - ‘group1’
4. Add a custom VSA with vendor code 12356
5. The VSA for ADOM is 3, string <ADOM-name> (It is possible to add multiple attributes to give the GROUP access to multiple ADOMs)
6. The VSA for Administrator profile is 6, string <profile-name>
Consider the following scenarios:
- A FortiManager has 2 ADOMs: ADOM1, ADOM2
- Windows AD has 3 groups, g1, g2, g3
- The FortiManager has two admin profiles:
- p1: Read only,
- p2: Read Write, but RO access to Device Manger
Scenario A - Give g1 and g2 access to ADOM1 read only access
- Add a network policy with:
- A condition matching user groupsg1 and g2
- A RADIUS config with a VSA number 3 and string ADOM1 and VSA number 6 with string p1.
Result : Any user falling in g1 and g2 will get Read Only access to ADOM1.
Scenario B - Give g3 access to ADOM2 with Read Write but RO access to Device Manger
Add a network policy with:
- A condition matching user group g3
- A RADIUS config with a VSA number 3 and string ADOM2 and VSA number 6 with string p2.
Result : Any user falling in g3 will get Read Write access to ADOM2 with read-only access to device manager.
Note: If access profile RADIUS VSA is not specified then user will get access to the admin profile mentioned in the Administrator.
Please refer the attached document for detailed configuration.
This article explains how to use RADIUS vendor specific attributes in RADIUS wildcard authentication from Windows Network Policy Server (NPS) to give access to multiple ADOMs and assign different admin profiles based upon user membership in a AD groups.
FortiAnalyzer and FortiManager only allow the definition of a single wildcard admin account, alternately the Vendor Specific Attributes (VSA) can indicate which ADOMs each user can access and with what level of privilege (through profile assignment).
Scope
This configuration is tested on FortiManager/FortiAnalyzer 5.4.3 and Windows Server 2008
Expectations, Requirements
With RADIUS as authentication server on Windows Server we can assign each AD group multiple ADOMs and profiles using RADIUS VSA.
Configuration
RADIUS configuration on the FortiManager or FortiAnalyzer
1. Create an Administrator of type RADIUS with wildcard enabled.
a. Configure Remote Authentication Server
b. Create an Admin account
From the CLI:
config system admin userNote: This setting will overwrite the ADOM and account profile that is configured in the FortiAnalyzer/FortiManager administrator account.
edit "radiususer"
(radius)# set radius-accprofile-override enable
(radius)# set radius-adom-override enable
(radius)# end
2. Create an admin profile
1. Add FortiAnalyzer/FortiManager as RADIUS clients
3. Create a network policy with AD group - ‘group1’
4. Add a custom VSA with vendor code 12356
5. The VSA for ADOM is 3, string <ADOM-name> (It is possible to add multiple attributes to give the GROUP access to multiple ADOMs)
6. The VSA for Administrator profile is 6, string <profile-name>
Consider the following scenarios:
- A FortiManager has 2 ADOMs: ADOM1, ADOM2
- Windows AD has 3 groups, g1, g2, g3
- The FortiManager has two admin profiles:
- p1: Read only,
- p2: Read Write, but RO access to Device Manger
Scenario A - Give g1 and g2 access to ADOM1 read only access
- Add a network policy with:
- A condition matching user groupsg1 and g2
- A RADIUS config with a VSA number 3 and string ADOM1 and VSA number 6 with string p1.
Result : Any user falling in g1 and g2 will get Read Only access to ADOM1.
Scenario B - Give g3 access to ADOM2 with Read Write but RO access to Device Manger
Add a network policy with:
- A condition matching user group g3
- A RADIUS config with a VSA number 3 and string ADOM2 and VSA number 6 with string p2.
Result : Any user falling in g3 will get Read Write access to ADOM2 with read-only access to device manager.
Note: If access profile RADIUS VSA is not specified then user will get access to the admin profile mentioned in the Administrator.
Please refer the attached document for detailed configuration.
