This article describes how to configure multiple remote administrators to be assigned different administrator profiles based on LDAP group membership.
FortiGate Administration and LDAP.
It is possible to assign different administrator profiles based on VSA attributes from Radius server as per article below.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Providing-different-admin-access-profiles/...
In case there are no Radius servers available, it can be leverage wildcard administrators based on LDAP group membership.
Configuration Steps:
Note.
An existing LDAP server entry in FortiGate can be used or a separate one may be created in case there are specific settings for 'group-member-check' and/or 'group-filter'.
LDAP Server Configuration:
Configure LDAP or LDAPS server as per KB Articles below.
For this example, the LDAP server is configured as below.
CLI configuration:
# config user ldap
edit "DC1-LDAPS-ADMINS"
set server "dc1.colombas.lab"
set cnid "sAMAccountName"
set dn "dc=colombas,dc=lab"
set type regular
set username "cn=administrator,cn=users,dc=colombas,dc=lab"
set password ENC xxxxxxxx
set group-member-check user-attr
set group-search-base ''
set group-filter ''
set secure ldaps
set ca-cert "LDAPS-CA"
set port 636
set password-expiry-warning enable
set password-renewal enable
next
end
Firewall Groups configuration:
Create the firewall groups.
Each firewall group is mapped to one or more groups in Active Directory as per example below:
CLI configuration:
# config user group
edit "Admins-Escalations"
set member "DC1-LDAPS-ADMINS"
config match
edit 1
set server-name "DC1-LDAPS-ADMINS"
set group-name "CN=Escalations,CN=Users,DC=Colombas,DC=lab"
next
end
next
end
Admin Profile Configuration:
Create Admin Profiles that will be assigned to different Administrators:
Define permissions as needed for each profile as per example below:
CLI Configuration:
# config system accprofile
edit "Level3"
set secfabgrp read-write
set ftviewgrp read-write
set authgrp read-write
set sysgrp read-write
set netgrp read-write
set loggrp read-write
set fwgrp read-write
set vpngrp read-write
set utmgrp read-write
set wanoptgrp read-write
set wifi read-write
next
end
Administrators Configuration:
Create wildcard administrators and assign the remote user group defined previously.
In the example below, Administrator 'L3-Admins-LDAP' is mapped to group 'Admins-Escalations'.
CLI Configuration:
# config system admin
edit "L3-Admins-LDAP"
set remote-auth enable
set accprofile "Level3"
set vdom "root"
set wildcard enable
set remote-group "Admins-Escalations"
next
end
Verification
With the above configuration in place, based on AD group membership, administrators will be able to login and be assigned specific Admin Profile.
Active Administrator Sessions can be viewed from the 'Administrators' Widget in the default 'Status' Dashboard.
Active sessions can also be seen from CLI, but the profiles associated to them are not displayed.
FGT1-A # get system info admin status
However, leveraging a command that is used to disconnect an administrator session, the profiles can be displayed:
FGT1-A # execute disconnect-admin-session ?
Additionally, disconnecting a session indicating the session Index.
Troubleshooting
Failed or successful attempts can be checked from 'System Events' under 'Log & Report'.
Debugging information can be checked from CLI with commands below:
# diagnose debug console timestamp enable
diagnose debug application fnbamd -1
diagnose debug enable
Sample output from a successful login as per below:
# 2022-05-29 10:29:26 [1906] handle_req-Rcvd auth req 353110676 for carlos in Admins-L1 opt=00014001 prot=11
2022-05-29 10:29:26 [466] __compose_group_list_from_req-Group 'Admins-L1', type 1
2022-05-29 10:29:26 [616] fnbamd_pop3_start-carlos
2022-05-29 10:29:26 [378] radius_start-Didn't find radius servers (0)
2022-05-29 10:29:26 [1068] __tac_plus_try_next_server-Try DC1-TACACS+:172.16.1.10
2022-05-29 10:29:26 [358] __tac_plus_dns_cb-Resolved DC1-TACACS+:172.16.1.10 to 172.16.1.10, cur stack size:1
2022-05-29 10:29:26 [278] sock_connect-connecting DC1-TACACS+:172.16.1.10: 172.16.1.10
2022-05-29 10:29:26 [1717] fnbamd_ldap_init-search filter is: sAMAccountName=carlos
2022-05-29 10:29:26 [1727] fnbamd_ldap_init-search base is: dc=colombas,dc=lab
2022-05-29 10:29:26 [115] fnbamd_dns_resolv_ex-DNS req ipv4 0x5 'dc1.colombas.lab'
2022-05-29 10:29:26 [125] fnbamd_dns_resolv_ex-DNS req ipv6 0x2005 'dc1.colombas.lab'
2022-05-29 10:29:26 [137] fnbamd_dns_resolv_ex-DNS maintainer started.
2022-05-29 10:29:26 [633] create_auth_session-Total 2 server(s) to try
2022-05-29 10:29:26 [246] fnbamd_dns_parse_resp-got IPv4 DNS reply, req-id=0x5
2022-05-29 10:29:26 [305] fnbamd_dns_parse_resp-req 0x5: 172.16.1.10
2022-05-29 10:29:26 [1149] __fnbamd_ldap_dns_cb-Resolved DC1-LDAPS-ADMINS:dc1.colombas.lab to 172.16.1.10, cur stack size:1
2022-05-29 10:29:26 [924] __fnbamd_ldap_get_next_addr-
2022-05-29 10:29:26 [1154] __fnbamd_ldap_dns_cb-Connection starts DC1-LDAPS-ADMINS:dc1.colombas.lab, addr 172.16.1.10 over SSL
2022-05-29 10:29:26 [879] __fnbamd_ldap_start_conn-Still connecting 172.16.1.10.
2022-05-29 10:29:26 [246] fnbamd_dns_parse_resp-got IPv6 DNS reply, req-id=0x2005
2022-05-29 10:29:26 [265] fnbamd_dns_parse_resp-req 0x5: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
2022-05-29 10:29:26 [35] __fnbamd_dns_req_del-DNS req 0x5 (0x1008ec00) is removed. Current total: 2
2022-05-29 10:29:26 [47] __fnbamd_dns_req_del-DNS maintainer stopped.
2022-05-29 10:29:26 [1149] __fnbamd_ldap_dns_cb-Resolved DC1-LDAPS-ADMINS:dc1.colombas.lab to ::, cur stack size:0
2022-05-29 10:29:26 [1107] __ldap_connect-tcps_connect(172.16.1.10) is established.
2022-05-29 10:29:26 [985] __ldap_rxtx-state 3(Admin Binding)
2022-05-29 10:29:26 [363] __ldap_build_bind_req-Binding to 'cn=administrator,cn=users,dc=colombas,dc=lab'
2022-05-29 10:29:26 [1083] fnbamd_ldap_send-sending 75 bytes to 172.16.1.10
2022-05-29 10:29:26 [1096] fnbamd_ldap_send-Request is sent. ID 1
2022-05-29 10:29:26 [985] __ldap_rxtx-state 4(Admin Bind resp)
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 8
2022-05-29 10:29:26 [1233] fnbamd_ldap_recv-Leftover 2
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 14
2022-05-29 10:29:26 [1306] fnbamd_ldap_recv-Response len: 16, svr: 172.16.1.10
2022-05-29 10:29:26 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:1, type:bind
2022-05-29 10:29:26 [1023] fnbamd_ldap_parse_response-ret=0
2022-05-29 10:29:26 [1052] __ldap_rxtx-Change state to 'DN search'
2022-05-29 10:29:26 [985] __ldap_rxtx-state 11(DN search)
2022-05-29 10:29:26 [750] fnbamd_ldap_build_dn_search_req-base:'dc=colombas,dc=lab' filter:sAMAccountName=carlos
2022-05-29 10:29:26 [1083] fnbamd_ldap_send-sending 75 bytes to 172.16.1.10
2022-05-29 10:29:26 [1096] fnbamd_ldap_send-Request is sent. ID 2
2022-05-29 10:29:26 [985] __ldap_rxtx-state 12(DN search resp)
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 8
2022-05-29 10:29:26 [1233] fnbamd_ldap_recv-Leftover 2
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 62
2022-05-29 10:29:26 [1306] fnbamd_ldap_recv-Response len: 64, svr: 172.16.1.10
2022-05-29 10:29:26 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-entry
2022-05-29 10:29:26 [1023] fnbamd_ldap_parse_response-ret=0
2022-05-29 10:29:26 [1225] __fnbamd_ldap_dn_entry-Get DN 'CN=Carlos Colombini,CN=Users,DC=colombas,DC=lab'
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 8
2022-05-29 10:29:26 [1233] fnbamd_ldap_recv-Leftover 2
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 81
2022-05-29 10:29:26 [1306] fnbamd_ldap_recv-Response len: 83, svr: 172.16.1.10
2022-05-29 10:29:26 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference
2022-05-29 10:29:26 [1023] fnbamd_ldap_parse_response-ret=0
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 8
2022-05-29 10:29:26 [1233] fnbamd_ldap_recv-Leftover 2
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 81
2022-05-29 10:29:26 [1306] fnbamd_ldap_recv-Response len: 83, svr: 172.16.1.10
2022-05-29 10:29:26 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference
2022-05-29 10:29:26 [1023] fnbamd_ldap_parse_response-ret=0
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 8
2022-05-29 10:29:26 [1233] fnbamd_ldap_recv-Leftover 2
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 65
2022-05-29 10:29:26 [1306] fnbamd_ldap_recv-Response len: 67, svr: 172.16.1.10
2022-05-29 10:29:26 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference
2022-05-29 10:29:26 [1023] fnbamd_ldap_parse_response-ret=0
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 8
2022-05-29 10:29:26 [1233] fnbamd_ldap_recv-Leftover 2
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 14
2022-05-29 10:29:26 [1306] fnbamd_ldap_recv-Response len: 16, svr: 172.16.1.10
2022-05-29 10:29:26 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-result
2022-05-29 10:29:26 [1023] fnbamd_ldap_parse_response-ret=0
2022-05-29 10:29:26 [1052] __ldap_rxtx-Change state to 'User Binding'
2022-05-29 10:29:26 [985] __ldap_rxtx-state 5(User Binding)
2022-05-29 10:29:26 [596] fnbamd_ldap_build_userbind_req-Trying DN 'CN=Carlos Colombini,CN=Users,DC=colombas,DC=lab'
2022-05-29 10:29:26 [363] __ldap_build_bind_req-Binding to 'CN=Carlos Colombini,CN=Users,DC=colombas,DC=lab'
2022-05-29 10:29:26 [1083] fnbamd_ldap_send-sending 109 bytes to 172.16.1.10
2022-05-29 10:29:26 [1096] fnbamd_ldap_send-Request is sent. ID 3
2022-05-29 10:29:26 [985] __ldap_rxtx-state 6(User Bind resp)
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 8
2022-05-29 10:29:26 [1233] fnbamd_ldap_recv-Leftover 2
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 14
2022-05-29 10:29:26 [1306] fnbamd_ldap_recv-Response len: 16, svr: 172.16.1.10
2022-05-29 10:29:26 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:3, type:bind
2022-05-29 10:29:26 [1023] fnbamd_ldap_parse_response-ret=0
2022-05-29 10:29:26 [1052] __ldap_rxtx-Change state to 'Attr query'
2022-05-29 10:29:26 [985] __ldap_rxtx-state 7(Attr query)
2022-05-29 10:29:26 [649] fnbamd_ldap_build_attr_search_req-Adding attr 'memberOf'
2022-05-29 10:29:26 [661] fnbamd_ldap_build_attr_search_req-base:'CN=Carlos Colombini,CN=Users,DC=colombas,DC=lab' filter:cn=*
2022-05-29 10:29:26 [1083] fnbamd_ldap_send-sending 123 bytes to 172.16.1.10
2022-05-29 10:29:26 [1096] fnbamd_ldap_send-Request is sent. ID 4
2022-05-29 10:29:26 [985] __ldap_rxtx-state 8(Attr query resp)
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 8
2022-05-29 10:29:26 [1233] fnbamd_ldap_recv-Leftover 2
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 214
2022-05-29 10:29:26 [1306] fnbamd_ldap_recv-Response len: 216, svr: 172.16.1.10
2022-05-29 10:29:26 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:4, type:search-entry
2022-05-29 10:29:26 [1023] fnbamd_ldap_parse_response-ret=0
2022-05-29 10:29:26 [556] __get_member_of_groups-Get the memberOf groups.
2022-05-29 10:29:26 [522] __retrieve_group_values-Get the memberOf groups.
2022-05-29 10:29:26 [532] __retrieve_group_values- attr='memberOf', found 1 values
2022-05-29 10:29:26 [542] __retrieve_group_values-val[0]='CN=Escalations,CN=Users,DC=colombas,DC=lab'
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 8
2022-05-29 10:29:26 [1233] fnbamd_ldap_recv-Leftover 2
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 14
2022-05-29 10:29:26 [1306] fnbamd_ldap_recv-Response len: 16, svr: 172.16.1.10
2022-05-29 10:29:26 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:4, type:search-result
2022-05-29 10:29:26 [1023] fnbamd_ldap_parse_response-ret=0
2022-05-29 10:29:26 [1305] __fnbamd_ldap_attr_next-Entering CHKPRIMARYGRP state
2022-05-29 10:29:26 [1052] __ldap_rxtx-Change state to 'Primary group query'
2022-05-29 10:29:26 [985] __ldap_rxtx-state 13(Primary group query)
2022-05-29 10:29:26 [685] fnbamd_ldap_build_primary_grp_search_req-starting primary group check...
2022-05-29 10:29:26 [689] fnbamd_ldap_build_primary_grp_search_req-number of sub auths 5
2022-05-29 10:29:26 [707] fnbamd_ldap_build_primary_grp_search_req-base:'dc=colombas,dc=lab' filter:(&(objectclass=group)(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\40\54\06\98\ae\31\62\4e\0f\94\22\32\01\02\00\00))
2022-05-29 10:29:26 [1083] fnbamd_ldap_send-sending 122 bytes to 172.16.1.10
2022-05-29 10:29:26 [1096] fnbamd_ldap_send-Request is sent. ID 5
2022-05-29 10:29:26 [985] __ldap_rxtx-state 14(Primary group query resp)
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 8
2022-05-29 10:29:26 [1233] fnbamd_ldap_recv-Leftover 2
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 111
2022-05-29 10:29:26 [1306] fnbamd_ldap_recv-Response len: 113, svr: 172.16.1.10
2022-05-29 10:29:26 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:5, type:search-entry
2022-05-29 10:29:26 [1023] fnbamd_ldap_parse_response-ret=0
2022-05-29 10:29:26 [472] __get_one_group-group: CN=Domain Users,CN=Users,DC=colombas,DC=lab
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 8
2022-05-29 10:29:26 [1233] fnbamd_ldap_recv-Leftover 2
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 81
2022-05-29 10:29:26 [1306] fnbamd_ldap_recv-Response len: 83, svr: 172.16.1.10
2022-05-29 10:29:26 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:5, type:search-reference
2022-05-29 10:29:26 [1023] fnbamd_ldap_parse_response-ret=0
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 8
2022-05-29 10:29:26 [1233] fnbamd_ldap_recv-Leftover 2
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 81
2022-05-29 10:29:26 [1306] fnbamd_ldap_recv-Response len: 83, svr: 172.16.1.10
2022-05-29 10:29:26 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:5, type:search-reference
2022-05-29 10:29:26 [1023] fnbamd_ldap_parse_response-ret=0
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 8
2022-05-29 10:29:26 [1233] fnbamd_ldap_recv-Leftover 2
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 65
2022-05-29 10:29:26 [1306] fnbamd_ldap_recv-Response len: 67, svr: 172.16.1.10
2022-05-29 10:29:26 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:5, type:search-reference
2022-05-29 10:29:26 [1023] fnbamd_ldap_parse_response-ret=0
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 8
2022-05-29 10:29:26 [1233] fnbamd_ldap_recv-Leftover 2
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 14
2022-05-29 10:29:26 [1306] fnbamd_ldap_recv-Response len: 16, svr: 172.16.1.10
2022-05-29 10:29:26 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:5, type:search-result
2022-05-29 10:29:26 [1023] fnbamd_ldap_parse_response-ret=0
2022-05-29 10:29:26 [1433] __fnbamd_ldap_primary_grp_next-Auth accepted
2022-05-29 10:29:26 [1052] __ldap_rxtx-Change state to 'Done'
2022-05-29 10:29:26 [985] __ldap_rxtx-state 23(Done)
2022-05-29 10:29:26 [1083] fnbamd_ldap_send-sending 7 bytes to 172.16.1.10
2022-05-29 10:29:26 [1096] fnbamd_ldap_send-Request is sent. ID 6
2022-05-29 10:29:26 [785] __ldap_done-svr 'DC1-LDAPS-ADMINS'
2022-05-29 10:29:26 [755] __ldap_destroy-
2022-05-29 10:29:26 [724] __ldap_stop-Conn with 172.16.1.10 destroyed.
2022-05-29 10:29:26 [2678] fnbamd_ldap_result-Result for ldap svr dc1.colombas.lab(DC1-LDAPS-ADMINS) is SUCCESS
2022-05-29 10:29:26 [401] ldap_copy_grp_list-copied CN=Escalations,CN=Users,DC=colombas,DC=lab
2022-05-29 10:29:26 [401] ldap_copy_grp_list-copied CN=Domain Users,CN=Users,DC=colombas,DC=lab
2022-05-29 10:29:26 [1653] fnbam_user_auth_group_match-req id: 353110676, server: DC1-LDAPS-ADMINS, local auth: 0, dn match: 1
2022-05-29 10:29:26 [2690] fnbamd_ldap_result-Passed group matching
2022-05-29 10:29:26 [216] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 353110676, len=2236
2022-05-29 10:29:26 [789] destroy_auth_session-delete session 353110676
2022-05-29 10:29:26 [1077] tac_plus_destroy-DC1-TACACS+
2022-05-29 10:29:26 [755] __ldap_destroy-
2022-05-29 10:29:26 [1764] fnbamd_ldap_auth_ctx_free-Freeing 'DC1-LDAPS-ADMINS' ctx
Related Articles
Technical Tip: How to configure LDAP server
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.