| Description | This article explains when to use remote admin accounts to manage a FortiGate. It is a normal practice to have external authentication for the Firewall administrator to log in or for Guest sponsor access, but it is necessary to take special attention when there are VDOMs. |
| Scope | FortiGate v6.4, v7.0, v7.2. |
| Solution |
Definition: Remote (Match a user on a remote server Group). Remote+Wildcard (Match all users in a remote server Group).
It is only necessary to have one wildcard admin per VDOM, otherwise, the authentication will only be done towards the group with the most alphabetical order preference. Having a 'Global wildcard admin user' will be present in all VDOMs, thus if the name of the group will make it the 1st in the list, will be the only one matched for wildcard users. It is recommended to have each Firewall administrator as a 'remote' only 'Match a user on remote server Group'.
To create a user that will then be mapped to a Remote Group.
Although it is possible to use 'Remote+Wildcard', it is necessary to keep in mind the limitation of only one group.
Consider the following: Having admin (Remote+Wildcard) for Profile admins or guest admins attached to the correct VDOM (Access should be done from the VDOM Management IP). Having admin (Remote) for Global admin.
Related documents: Configuring wildcard admin accounts
Related articles: Technical Tip: Configuring LDAP users as the Guest account sponsor Technical Tip: Remote admin login with Radius selecting admin access account profile Technical Note: Fortigate: Admin login with remote Radius and vdom access profile |
