Does anyone know if you can configure RADIUS groups for the FAZ? I can't seem to find any information on this in the admin guides or CLI.
What I'm trying to do is have users loging to a RADIUS server (FortiAuthenticator in this instance) and from there be given role based access.
For example if the user belongs in the 'admin' group they would be given full access, but if they're in the 'partners' group they would be given access to the report/fortiview.
I'm going blind trying to figure this out! :)
Solved! Go to Solution.
Hi,
Yes you can.
1) Create a radius profile: System Settings -> Admin -> Remote Auth Server
2) go to CLI and define the NAS-IP address to be the IP address to your FAZ:
config sys admin radius
edit <your radius name or press the TAB button>
set nas-ip <the IP address of your FAZ>
end
3) Create admin profile(s) under System Settings -> Admin -> Profile and choose what you want to allow or disable for the admin(s).
4) Create a new admin with the same name as you have it on the radius server. Set the type to your radius and choose the created radius server. DO NOT select the Wiledcard option. DO NOT fill the password. Choose the required profile for the admin and ADOM settings and click OK.
5) Repeat the step 4) for the other admins.
Log out from the analyzer and log in with the different admin account. Have a fun!
Remember: the admin name has to be an existing name that can be checked by the radius server. The password will be checked by the radius and grant access. According to the admin name the FAZ will choose the admin profile.
AtiT
Under your wildcard admin put 'set radius-accprofile-override enable'. Then create access profiles with the same name as the radius groups.
Neon
you can define access_profile attributes for the clients, but the catch the access-Profile needs to be configured on the fortigate. Fortigate supports like 6 or 8 Vendor Specific Attribute IIRC.
example;
# sample radius user file w/ accprof
#
HQadmin Crypt-Password == "$1$BbERshNY$.wcjjBzwe/i82ILJuajeWs/"
User-Service-Type = Login-User
Fortinet-Access-Profile = admin_full
ENGadmin Crypt-Password == "$1$BEdsJWs$.xkueWldiwe/w62ILWkiuuSs/"
User-Service-Type = Login-User
Fortinet-Access-Profile = adminrestricted
SOCgroup1 Cleartext-Password = "MySOCG3d4uejd"
User-Service-Type = Login-User
Fortinet-Access-Profile = readonly
Just make sure the Access Profile exists or if no you will locked out the user
PCNSE
NSE
StrongSwan
Hi,
Yes you can.
1) Create a radius profile: System Settings -> Admin -> Remote Auth Server
2) go to CLI and define the NAS-IP address to be the IP address to your FAZ:
config sys admin radius
edit <your radius name or press the TAB button>
set nas-ip <the IP address of your FAZ>
end
3) Create admin profile(s) under System Settings -> Admin -> Profile and choose what you want to allow or disable for the admin(s).
4) Create a new admin with the same name as you have it on the radius server. Set the type to your radius and choose the created radius server. DO NOT select the Wiledcard option. DO NOT fill the password. Choose the required profile for the admin and ADOM settings and click OK.
5) Repeat the step 4) for the other admins.
Log out from the analyzer and log in with the different admin account. Have a fun!
Remember: the admin name has to be an existing name that can be checked by the radius server. The password will be checked by the radius and grant access. According to the admin name the FAZ will choose the admin profile.
AtiT
It is not a radius group but you have to configure each username on the FAZ.
AtiT
Under your wildcard admin put 'set radius-accprofile-override enable'. Then create access profiles with the same name as the radius groups.
Neon
you can define access_profile attributes for the clients, but the catch the access-Profile needs to be configured on the fortigate. Fortigate supports like 6 or 8 Vendor Specific Attribute IIRC.
example;
# sample radius user file w/ accprof
#
HQadmin Crypt-Password == "$1$BbERshNY$.wcjjBzwe/i82ILJuajeWs/"
User-Service-Type = Login-User
Fortinet-Access-Profile = admin_full
ENGadmin Crypt-Password == "$1$BEdsJWs$.xkueWldiwe/w62ILWkiuuSs/"
User-Service-Type = Login-User
Fortinet-Access-Profile = adminrestricted
SOCgroup1 Cleartext-Password = "MySOCG3d4uejd"
User-Service-Type = Login-User
Fortinet-Access-Profile = readonly
Just make sure the Access Profile exists or if no you will locked out the user
PCNSE
NSE
StrongSwan
Yeeessss!!! Thanks for the info guys, it's working great now :D
My final steps were:
Created an admin user with wildcard that uses the RADIUS server.
Created separate access profiles with names matching my RADIUS groups.
Edited the admin user via CLI and enabled the radius-accprofile-override setting.
Initially I had a problem with the RADIUS group attributes not matching up. On the FortiAuthenticator I configured the groups to reply with the Fortinet-Group-Name attribute for RADIUS authentication (this was to service the FortiGate). This attribute didn't work for the FAZ. I added the Fortinet-Access-Profile attribute and the FAZ picked it up. So now I have both RADIUS attributes configured on my FortiAuthenticator (pic attached), one to service the FortiGate and the other for the FortiAnalyzer.
Thanks again guys!
Hi,
this solution seems to me more elegant. I tried to set this up but I have a problem.
I have 2 admin groups - Admin and Report-read-only.
All users from both groups can login but have the same permissions that is set under the wildecard admin profile.
I also enabled the radius-accprofile-override: enable
It seems that the FAZ not makes a difference between profile attributes.
The radius server is Windows 2008 R2 NPS policy server.
The FAZ is FAZ-VM 5.2.3 (trial version for testing in vmware player).
I set the vendor specific attribute to attribute 6:
## Fortinet’s VSA’s # VENDOR fortinet 12356 BEGIN-VENDOR fortinet ATTRIBUTE Fortinet-Group-Name 1 string ATTRIBUTE Fortinet-Client-IP-Address 2 ipaddr ATTRIBUTE Fortinet-Vdom-Name 3 string ATTRIBUTE Fortinet-Client-IPv6-Address 4 octets ATTRIBUTE Fortinet-Interface-Name 5 string ATTRIBUTE Fortinet-Access-Profile 6 string ## Integer Translations # END-VENDOR Fortinet
AtiT
Great, can you debug the radius accept/response on that radius server?
I have little experience on the MS radius and NP but I'm sure theire some debug method. if you have a radtest equal diagnostic command , you can try that also.
PCNSE
NSE
StrongSwan
Hi,
Yes I did it. It is working now. The problem was with the Radius server where another network policy catched the authentication request and if the profile does not match the profile under admin user defined is applied.
Thank you for support.
AtiT
Ηi all, Do you know if it is possible to configure TACACS for FortiAnalyzer? I tried to configure but authorization doesn 't work properly. thanks in advance! A.
User | Count |
---|---|
2619 | |
1390 | |
804 | |
666 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.