Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
colivero
Staff
Staff

Created on ‎08-01-2018 07:21 AM Edited on ‎11-07-2024 08:06 AM By Community Manager

Article Id 194928

Technical Tip: FortiGate - Admin login with remote Radius and vdom access profile

Description

 

The article describes how to modify VDOM attribute while login as a Remote admin user in FortiGate.

 

Scope

 

FortiGate, FortiAuthenticator.

 

Solution
  • Configure the FortiGate with the FortiAuthenticator as a Remote RADIUS server. For details and a step-by-step procedure, see this article

For example: 

 

tbarua_0-1730994435637.png

 

  • Configure the RADIUS server to send the appropriate vendor-specific attributes (VSAs). 

Ensure that the RADIUS server is configured to send the appropriate vendor-specific attributes (VSA). 

 

In order to send a specific group membership and access profile, VDOM VSA 1, VSA 6, VSA 3 must be set.

 

VENDOR fortinet 12356
ATTRIBUTE Fortinet-Group-Name       1   string
ATTRIBUTE Fortinet-Access-Profile   6   string

ATTRIBUTE   Fortinet-Vdom-Name     3 string

 

In this example:

 

Attribute 1 is set to remote_admins.
Attribute 6 is set to Super_admin.

Attribute 3 is set to vdomtest1

 

A list of all of Fortinet's VSA is available here.

 

tbarua_1-1730994436650.png

 

 

  • Create a User group on FortiGate

Go to User & Device -> User -> User group and create a Firewall group. 

Create a New Remote Server and add the RADIUS Server. 

In the group's field, include the string that was configured as attribute 1 on the RADIUS server. 
In this example, the string used was ‘group’.

Name: Remote_Admin
Remote group: 
Remote Server: fac.fortiad.net
Group Name: group

 

tbarua_2-1730994435707.png

 

 

  • It is mandatory to have VDOM set up as a prerequisite for this example. See the related article on how to set up VDOM in FortiGate. 

Next steps:

  • Create an admin user in FortiGate:
  1. Go to System -> Administrators -> Create new -> Select Administrators.
  2. Create a new admin with the type 'Match all users in a remote server group'.
  3. Select the User Group.
  4. Select super_admin profile as an Administrator profile.

tbarua_3-1730994437288.png

 

Log into FortiGate using the new RADIUS user.

 

tbarua_4-1730994436691.png

 

FortiAuthenticator debug will show the RADIUS attribute for the specific VDOM:

 

22024-11-04T17:37:22.498844+02:00 fac radiusd[3512]: (7) Sent Access-Accept Id 58 from 192.168.2.100:1812 to 192.168.2.254:18184 length 87
2024-11-04T17:37:22.498875+02:00 fac radiusd[3512]: (7) Message-Authenticator := 0x00
2024-11-04T17:37:22.498885+02:00 fac radiusd[3512]: (7) Fortinet-Group-Name += "group"
2024-11-04T17:37:22.498895+02:00 fac radiusd[3512]: (7) Fortinet-Access-Profile += "super_admin"
2024-11-04T17:37:22.498912+02:00 fac radiusd[3512]: (7) Fortinet-Vdom-Name += "vdomtest1"

 

Related article:

Multi VDOM configuration examples - FortiGate administration guide

5907
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.