Created on 12-23-2020 05:58 AM Edited on 08-02-2024 06:22 AM By Jean-Philippe_P
Description
This article describes how to restrict local admin authentication when a remote authentication server is running.
Scope
FortiGate.
Solution
config system global
set admin-restrict-local {enable | disable} <----- Default is set to disable.
end
Behavior before FortiOS v7.2.0 :
If enabled, as long as any remote server is available on FortiGate (TACACS, LDAP, or RADIUS) is up and running, local admin authentication will be blocked. Local admins will be allowed access only if no remote server is detected.
Behavior from FortiOS v7.2.0:
If enabled, FortiGate now only checks if all remote authentication servers applied in 'system admin' are down, instead of all remote servers configured on the FortiGate, before allowing local administrators to log in.
NOTE.
This setting applies to FortiGate GUI/CLI (ssh/telnet) access only. In both cases, console access to FortiGate would still be available using local administrators even if the remote authentication servers are up.
Behavior from FortiOS v7.6.0:
config system global
set admin-restrict-local {all | non-console-only | disable} <----- Default is set to disable.
end
Restrict local administrator logins through the console
NOTE.
The setting of 'all' applies to FortiGate GUI/CLI (ssh/telnet) and console access. If the remote authentication servers are up, the local admin account will not be available, this includes via the console.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.