Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
AmirZ
Staff
Staff

Created on ‎05-10-2023 12:23 AM Edited on ‎11-06-2024 01:31 AM By Moderator

Article Id 255888

Technical Tip: FortiGate admin access using FortiAuthenticator

 

Description This article describes how to manage to access FortiGate through FortiAuthenticator based on the admin account profile privileges created on FortiGate. 
Scope FortiGate.
Solution

FortiGate steps:

  1. Create a new admin profile (In this example, a read-only profile has been used).

 

Create the admin profile with the privileges needed.

 

Note: The name of this profile must be the exact name used in the FortiAuthenticator step 2 (creating group – RADIUS attributes).

 

1.png

 

  1. Create a RADIUS Server:
    Create a RADIUS Server. In this case, FortiAuthenticator is acting as a RADIUS server.


    Note: Verify this with Step 1 on FortiAuthenticator.

     

    2.png

     

     

  2. This step should be completed after step 3 on FortiAuthenticator.

    Create a group on FortiGate that matches the remote server. Note that it is necessary to specify the remote server group name, which is the same name as the Group created on FortiAuthenticator.

     

    3.png

     

     

  3. Create a new admin user with a wild card enabled to match the group created FortiAuthenticator, so any user that is added to the FortiAuthenticatorgroup will be able to access the FortiGate with the privilege associated with the RADIUS attribute:

     

 

4.1.png

 

4.2.png

 

FortiAuthenticator Steps:

Assumption: LDAP server config already exists and remote users are imported to FortiAuthenticator.

 

  1. Configure FortiGate client:

 

FAC1.png

 

  1. Configure user group (This is the basic step where RADIUS attributes are matched).

    The name of this group is the same used as a RADIUS attribute ‘Fortinet-Group-Name’.

    The ‘Fortinet-Access-Profile’ attribute must be exactly the same name as the admin profile created in the Step 1 FortiGate configuration.

    In this step, select users from LDAP who want to allow access to the FortiGate.

     

    FAC2.png

     

     

  2. Configure RADIUS policies:

     

    FAC3.1.png

     

     

    FAC3.2.png

     

  3. By default, the RADIUS service is not enabled in the interfaces. Therefore, go through the following path:
    System -> Network -> Interfaces, select the interface and enable the RADIUS service.

 

                                              RADIUS service.png

 

Related article:

Technical Tip: Remote admin login with Radius selecting admin access account profile 

 

 

2499
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.