Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Fortigate MFA Mangement Query

Hi All,


Query concerning MFA to Microsoft on the Fortigates for management access. We have a working solution but we have a slight problem which I can't seem to resolve.


We have 2 user groups for access to the Fortigates - Access-Write & Access-Read.


I configure management access on the fortigate given users access to make changes to the firewall if they are in Access-Write and Readonly access if in the Access-Read group.


This access is controlled by the Fortigate User Group Remote Group and Group name entry and the policies on the NPS server for this device group


The issue I have is when I turn on the MFA piece the MFA fails when I have a User Group group name specified - only when I use all groups does it work. That's okay but I lose the ability to seperate the Read and Write only grouping. I can move across a user between the Domain Read Only and Write Access group but they both have full write access.


How can I push a read-only and read/write policy from the NPS to the Fortigate so I can seperate these users without specifying the user group configuration.






Hey Adrian,

it might be a bit tricky to have FortiGate assign admin profiles based on group membership. You could instead have the NPS send the admin profile as RADIUS attribute (the user could inherit the attribute based on group membership perhaps?). You can see more details here:

- that uses a FortiAuthenticator as RADIUS server example, but you can just as well use an NPS, simply make sure the required VSAs are included, and you have enabled the radius override setting in the wildcard admin entry.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Top Kudoed Authors