Description

This article describes the kinds of issues that may be faced if the RADIUS server is integrated on Non-Management VDOM when using the RADIUS wildcard user as an admin login to the FortiGate.

Scope

Any supported version of FortiOS.

Solution

This article assumes that the necessary radius server configuration and wildcard system admin configuration are configured correctly.

There are two VDOMs in place: the root VDOM (which is the management VDOM) and another VDOM named TestA.

The root VDOM has an LDAP server and LDAP user group.

TestA has a RADIUS server and RADIUS user group.

In the global VDOM, create a wildcard administrator. Regardless of the administrator username, all users of that remote user group will be able to log in to the FortiGate LDAP group since the LDAP server is on the root VDOM.

Now since the RADIUS server is part of TESTA VDOM if the admin user is part of the RADIUS user group, then the user will not be able to log in to the FortiGate and will fail.

The test was made by taking the PCAP. Even for a RADIUS user, the traffic will be sent out to the LDAP server.

Important note:

Whenever the radius server is part of the TestA VDOM, it does not work.
Whenever the radius server is part of the root VDOM (management VDOM), it works.

This is the expected behavior by design. In order to log in as an admin to the FortiGate, the remote server should be part of the management VDOM.

Related article:

Technical Tip: Remote admin login with Radius selecting admin access account profile