Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
lochy
New Contributor

Fortinet admin accounts can't contain "." (dots) anymore.

Is anyone else being bitten by the Fortinet decision not to allow full stops in admin usernames?
We have a couple of client sites where the typical username is first.last, and we use the same. Authentication is handled via RADIUS to a server that enforces MFA, so when we create an admin account, it needs to have the same first.last format so the auth server will match it, check MFA, then approve the login. It works well and hasn't caused issues.
Fortinet has now decided that you can't use a dot in an admin account. I have no idea why. If you already have such an account, then it will still work - you just can't edit it or create new ones. This means we can't create admin accounts that will match on the auth servers.

Does anyone have any insight into why such a random restriction is suddenly being enforced? We could create "special" accounts just for the Fortinets, but everything else is based upon the individual's account, and all auditing is done that way. It breaks a whole bunch of things and will cost extra per account. It doesn't make things more secure in any way,..thoughts?

https://19216811.cam/ https://1921681001.id/
6 REPLIES 6
AEK
Honored Contributor II

Do you mean FortiOS 7.4.x?

AEK
AEK
Raghu_Kumar
Staff
Staff

Hello lochy,

 

This article describes that in version 7.4.x, users could find an error when trying to create a user with dots in the name - although it was possible with earlier versions before.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Unable-to-create-admin-users-with-dots-in-...

Raghuram Kumar
Toshi_Esumi
Esteemed Contributor III

@Raghu_Kumar, So this means we need to convert all those customer's VDOM admin names from their email address (including domain name following @) to like "toshi_esumi-example_com" from "toshi.esumi@exmaple.com". Do you know if existing ones would be converted automatically or thrown out and show up in "diag debug config-error-log read" as errors when we upgrade our FGTs to 7.4.x? No mentioning about it in the KB.

 

Toshi

AEK
Honored Contributor II

If I understand well from KB the old dotted names are not affected. Only newly created are conserned.

AEK
AEK
Toshi_Esumi
Esteemed Contributor III

Ok, @AEK, you're right. It says "New rules are enforced on new admin users and the renaming of existing admin users."

However, this KB has conflicting statements:

- Uses only these ASCII characters: a-z, A-Z, 0-9, _, -.
- Can end with $.

Does this mean $ is ok in addition to a-z, A-Z, 0-9, _, -.?

Toshi

AEK
Honored Contributor II

I'll test it. But in all cases removing the dot will make many FG admins unhappy.

AEK
AEK
Labels
Top Kudoed Authors