Description
In version 6.0.3 the parameter radius-accprofile-override has been changed to ext-auth-accprofile-override, the behavior has also changed.

Until version 6.0.2 if the setting radius-accprofile-override is enabled for a wildcard user associated to a particular profile and user tries to log in, if the VSA Fortinet-Access-Profile value sent by the radius server doesn’t match any profile configured on the FortiManager/FortiAnalayzer then this user is allowed to login with the profile defined for the wildcard user.

Since version 6.0.3 this is not possible anymore, access is denied.


Scope
config system admin profile
edit "Test_User"
end

config system admin user
edit "RadiusUser"
        set profileid "Test_User"
        set adom "root"
        set user_type radius
        set radius_server "TestRadius"
        set wildcard enable
        set ext-auth-accprofile-override enable (radius-accprofile-override with 6.0.2)
end

With this config the user will actually have no permissions, but the purpose is just to show that pre v6.0.3 they are able to log in, in v6.0.3 access is denied.

On the Radius server configure a user for example “bob” with the VSA Fortinet-Access-Profile = "read-write".


Solution
If you run the following trace you the output is different according to the version:

diag debug enable
diag debug application fnbam 255

v6.0.2 : user logged in

# fam_authenticate_user: User 'bob' not found - using wildcard template
fnbamd_fsm.c,1080,handle_req: Rcvd auth req 854654976 user=bob opt=100 prot=9
add_one_radius: TestRadius
fnbamd_radius.c,866,fnbamd_radius_auth_send: Sent radius req to 10.5.21.135: code=1 id=5 len=80 user="bob" using CHAP
fnbamd_radius.c,244,extract_private_attrs: adom 'root'
fnbamd_auth.c,1294,fnbamd_auth_handle_result: ->Result for radius svr 10.5.21.135(0) is 0
fnbamd_comm.c,117,fnbamd_comm_send_result: Sending result 0 for req 854654976
matched wildcard template: TestRadius -> RadiusUser
fam_authenticate_user: remote authentication succeeded
__resolve_admin_prof: ignore invalid admin prof override: 'read-write'

v6.0.3 : access denied

# fam_authenticate_user: User 'bob' not found - using wildcard template
fnbamd_fsm.c,1080,handle_req: Rcvd auth req 68747264 user=bob opt=100 prot=9
add_one_radius: TestRadius
fnbamd_radius.c,864,fnbamd_radius_auth_send: Sent radius req to 10.5.21.135: code=1 id=0 len=80 user="bob" using CHAP
fnbamd_radius.c,242,extract_private_attrs: adom 'root'
fnbamd_auth.c,1294,fnbamd_auth_handle_result: ->Result for radius svr 10.5.21.135(0) is 0
fnbamd_comm.c,117,fnbamd_comm_send_result: Sending result 0 for req 68747264
matched wildcard template: TestRadius -> RadiusUser
fam_authenticate_user: remote authentication succeeded
__resolve_admin_prof: invalid override profile: read-write

Related Articles

Technical Tip: Configure RADIUS for authentication and authorization in FortiManager and FortiAnalyz...