PurposeThis article explains how to use RADIUS vendor specific attributes
in RADIUS wildcard authentication from
Windows Network Policy Server (NPS) to give
access to multiple ADOMs and assign different admin profiles based
upon user membership in a AD groups.
FortiAnalyzer and FortiManager only allow the definition of a
single wildcard admin account, alternately the
Vendor Specific Attributes (VSA) can indicate which ADOMs each user can access and with what level
of privilege (through profile assignment).
ScopeThis configuration is tested on FortiManager/FortiAnalyzer 5.4.3
and Windows Server 2008
Expectations, RequirementsWith RADIUS as authentication server on
Windows Server we can assign each AD group multiple ADOMs and
profiles using RADIUS VSA.
ConfigurationRADIUS configuration on the FortiManager or FortiAnalyzer1. Create an Administrator of type RADIUS with wildcard enabled.
a. Configure Remote Authentication Server

b. Create an Admin account

From the CLI:
config system admin user
edit "radiususer"
(radius)# set radius-accprofile-override enable
(radius)# set radius-adom-override enable
(radius)# end
Note: This setting will overwrite the ADOM and account profile that is configured in the FortiAnalyzer/FortiManager administrator account. 2. Create an admin profile
3. Create an ADOM
Configure Windows NPS (assumes users and groups are already present)1. Add FortiAnalyzer/FortiManager as RADIUS clients
2. Create Connection Request Policies
3. Create a network policy with AD group - ‘group1’
4. Add a custom VSA with vendor code
123565. The VSA for ADOM is 3, string <ADOM-name> (It is possible to add multiple attributes to give the GROUP access to multiple ADOMs)
6. The VSA for Administrator profile is 6, string <profile-name>
Consider the following scenarios:- A FortiManager has 2 ADOMs:
ADOM1,
ADOM2 - Windows AD has 3 groups,
g1,
g2,
g3- The FortiManager has two admin profiles:
-
p1: Read only,
-
p2: Read Write, but RO access to Device Manger
Scenario A - Give g1 and g2 access to ADOM1 read only access- Add a network policy with:
- A condition matching user groupsg1 and g2
- A RADIUS config with a
VSA number 3 and string
ADOM1 and
VSA number 6 with string
p1.
Result : Any user falling in
g1 and
g2 will get
Read Only access to
ADOM1.
Scenario B - Give g3 access to ADOM2 with Read Write but RO access to Device MangerAdd a network policy with:
- A condition matching user group g3
- A RADIUS config with a
VSA number 3 and string
ADOM2 and
VSA number 6 with string
p2.
Result : Any user falling in
g3 will get
Read Write access to
ADOM2 with read-only access to device manager.
Note: If access profile RADIUS VSA is not specified then user will get access to the admin profile mentioned in the Administrator.Please refer the attached document for detailed configuration.