FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
sthampi_FTNT
Staff
Staff
Article Id 198558
Description
The purpose of this document is to explain the configuration of Workflow approval matrix using one Radius server and 2 wildcard admins. One wildcard admin will be used for session creation and second wildcard admin will be used for session approval.

The scenario will be
User A in Group A on Radius Server A will be able to approve sessions of User B in Group B on Radius Server A
Solution
The following explains how to configure and validate workflow approval matrix using remote radius admins



Configure only one Radius Server on the FortiManager


Create 2 Wildcard Admins using the same Radius Server: Win16

- First wildcard admin – Log_on_FMG which is part of Workflow approval Matrix
- Second wildcard admin – Log_on_FMG_2 which is not part of Workflow Approval Matrix

show sys admin user Log on FMG
config system admin user
     edit "Log on FMG"
        set profileid "Super_User"
        set adom "all adoms"
        set policy-package
        set user type radius
        set radius server "Win16"
            config meta-data
                edit "Contact Email"
                next
                edit "Contact Phone"
                next
            end
        set wildcard enable
        set ext-auth-accprofile—override enable
        set ext-auth-adom-override enable
        set ext-auth-group-match "fmg_faz_admin"
            config dashboard
                edit 1
                    set name "System Information"
                    set column 1
                    set refresh—interval O
                    set tabid 1
                    set widget—type sysinfo
                next

Configure extended attributes for Log_On_FMG_2, using Group match set to: Non_fmg_admin (We will later use this Vendor Specific Attribute on the Radius server Policy)

show sys admin user Log_On_FMG_2

config system admin user
    edit "
Log_On_FMG_2"
        set profileid "Super_User"
        set adom "all adoms"
        set policy-package
        set user type radius
        set radius server "Win16"
        config meta—data
                edit "Contact Email"
                next
                edit "Contact Phone"
                next
        end
        set wildcard enable
        set ext-auth-accprofile—override enable
        set ext-auth-adom-override enable
        set ext-auth-group-match "Non_fmg_admin"
        config dashboard
                edit 1
                        set name "System Information"

Configure the windows radius server with 2 users:

- Username: fortinet , part of Group1 on Radius server
- Username: fortinet2, part of Group2 on Radius server

Configure 2 Policies on Radius server so when user logs in with fortinet username the radius server will send the following attributes: fmg_faz_admins, Super_User, root


When user logs in with username: fortinet2, radius server will send the following attributes: Non_fmg_admin, Super_User, root

Now login to the Fortimanager with username: fortinet2, and create a session and submit.

Now login to the FortiManager with username: fortinet, and approve the session created by fortinet2. 


We can verify which user got which template by running the following command on FMG CLI:

diag sys admin list
*** entry 0 ***
session_id: 45999 (seq: O)
username: fortinet
admin template: Log on FMG
from: GUI (10.32.S8.100) (type 1)
profile: Super_User (type 3)
adom: root
session length: 143 (seconds)
idle: 2 (seconds)

*** entry 1 ***
session id: 26227 (seq: 0)
username : admin
admin template: admin
from: ssh(10.32.58.100) (type 0)
profile: Super _ User (type 3)
adom: root
session length: 42 (seconds)

*** entry 2 ***
session_id: 48080 (seq: O)
username: fortinet2
admin template: Log_On_FMG_2

from: GUI (
10.32.58.100) (type 1)
profile: Super _ User (type 3)
adom: root
session length: 2 (seconds)
idle: O (seconds)





Contributors