Description

This article describes how to restrict local admin authentication when a remote authentication server is running.

Scope

FortiGate.

Solution

config system global
    set admin-restrict-local {enable | disable} <----- Default is set to disable.
end

Behavior before FortiOS v7.2.0 :

If enabled, as long as any remote server is available on FortiGate (TACACS, LDAP, or RADIUS) is up and running, local admin authentication will be blocked. Local admins will be allowed access only if no remote server is detected.

Behavior from FortiOS v7.2.0:

If enabled, FortiGate now only checks if all remote authentication servers applied in 'system admin'  are down, instead of all remote servers configured on the FortiGate, before allowing local administrators to log in.

NOTE.

This setting applies to FortiGate GUI/CLI (ssh/telnet) access only. In both cases, console access to  FortiGate would still be available using local administrators even if the remote authentication servers are up. 

Behavior from FortiOS v7.6.0:

config system global

    set admin-restrict-local {all | non-console-only | disable} <----- Default is set to disable.

end

Related document:

Restrict local administrator logins through the console

Note:

The setting of 'all' applies to FortiGate GUI/CLI (ssh/telnet) and console access. If the remote authentication servers are up, the local admin account will not be available, this includes via the console.

In a multi-VDOM environment, it is expected to have the management access interface and Radius server associated with the same VDOM