Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
lochy
New Contributor

Created on ‎02-02-2024 10:13 PM

Fortinet admin accounts can't contain "." (dots) anymore.

Is anyone else being bitten by the Fortinet decision not to allow full stops in admin usernames?
We have a couple of client sites where the typical username is first.last, and we use the same. Authentication is handled via RADIUS to a server that enforces MFA, so when we create an admin account, it needs to have the same first.last format so the auth server will match it, check MFA, then approve the login. It works well and hasn't caused issues.
Fortinet has now decided that you can't use a dot in an admin account. I have no idea why. If you already have such an account, then it will still work - you just can't edit it or create new ones. This means we can't create admin accounts that will match on the auth servers.

Does anyone have any insight into why such a random restriction is suddenly being enforced? We could create "special" accounts just for the Fortinets, but everything else is based upon the individual's account, and all auditing is done that way. It breaks a whole bunch of things and will cost extra per account. It doesn't make things more secure in any way,..thoughts?

https://19216811.cam/ https://1921681001.id/
https://19216811.cam/ https://1921681001.id/
Labels:
609
0 Kudos
6 REPLIES 6
AEK
SuperUser
SuperUser

Created on ‎02-02-2024 11:36 PM

Do you mean FortiOS 7.4.x?

AEK
AEK
590
0 Kudos
Raghu_Kumar
Staff
Staff

Created on ‎02-03-2024 04:33 AM

Hello lochy,

 

This article describes that in version 7.4.x, users could find an error when trying to create a user with dots in the name - although it was possible with earlier versions before.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Unable-to-create-admin-users-with-dots-in-...

Raghuram Kumar
576
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Raghu_Kumar

Created on ‎02-03-2024 08:41 AM Edited on ‎02-03-2024 08:50 AM

@Raghu_Kumar, So this means we need to convert all those customer's VDOM admin names from their email address (including domain name following @) to like "toshi_esumi-example_com" from "toshi.esumi@exmaple.com". Do you know if existing ones would be converted automatically or thrown out and show up in "diag debug config-error-log read" as errors when we upgrade our FGTs to 7.4.x? No mentioning about it in the KB.

 

Toshi

562
0 Kudos
AEK
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎02-03-2024 08:59 AM

If I understand well from KB the old dotted names are not affected. Only newly created are conserned.

AEK
AEK
556
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to AEK

Created on ‎02-03-2024 09:06 AM

Ok, @AEK, you're right. It says "New rules are enforced on new admin users and the renaming of existing admin users."

However, this KB has conflicting statements:

- Uses only these ASCII characters: a-z, A-Z, 0-9, _, -.
- Can end with $.

Does this mean $ is ok in addition to a-z, A-Z, 0-9, _, -.?

Toshi

550
0 Kudos
AEK
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎02-03-2024 10:30 AM

I'll test it. But in all cases removing the dot will make many FG admins unhappy.

AEK
AEK
542
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.