Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AtiT
Valued Contributor

LDAP Admin Login to FGT - Change Default Password Request

Hello.

We have a problem on FortiOS 5.6.3 with LDAP admin accounts. When the admin tries to login into the firewall the login is accepted but a password change is requested:

 

This Account is using the default password, it is strongly recommended that you change your password.

 

Does anyone to know why it is happening?

 

 

AtiT

AtiT
1 Solution
xsilver_FTNT

Ahaaa .. wildcard admin which has no backup password .. got it !

That's actually a bug 0294898 in 5.6.3 which is supposed to be fixed in 5.6.4 and 6.0.0

And the workaround is simple:

 

config system admin

edit "LDAPadmins"

unset wildcard

set password someWeryRandomAndStrongPaSsword

set wildcard enable

end

 

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

View solution in original post

7 REPLIES 7
xsilver_FTNT
Staff
Staff

Hi,

 

I thought it's obvious from the message and your logon, but  ... 

 

It happens simply because you are using default admin with default "blank" password which is really not a great idea for the firewall.

Anybody who can find out IP/FQDN of your firewall and can access through the port (allowaccess, trusted hosts) is then able to login as Admin and change whatever he/she wants.

As Fortinet decided that this is really bad practice to leave the super admin account unprotected, then that's why you get warning/reminder each logon you do without password set.

 

Best regards,

Tomas

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

AtiT
Valued Contributor

Hello,

Thanks for the update.

 

But it is not the case. The account has a regular password, not blank.

We have a customer with the same problem and I was able to replicate the issue in the lab.

AtiT

AtiT
xsilver_FTNT

Hi,

I did quick retest and was not able to reproduce the issue.

Once I have used the button to change the password for default "admin" account I have no more warnings.

My setup is as bellow:

 

- Version: FortiGate-VM64 v5.6.3,build1547,171204 (GA)

config user ldap edit "LDAP_ALFA" set server "10.109.19.88" set cnid "cn" set dn "dc=alfa,dc=xsilver,dc=org" set type regular set username "administrator@alfa.xsilver.org" set password ENC Y2fC2kVGd0h...cut... next end

config user group edit "remote-admins" set member "LDAP_ALFA" next end

config system admin edit "admin" set accprofile "super_admin" set vdom "root" set password ENC SH2ImCGhgpKr330gEBA/Lh62cWD7MhkCkcFva0Nz8sSnJ+zyHxP76cppL3RZQc= next edit "test" set remote-auth enable set accprofile "super_admin" set vdom "root" set remote-group "remote-admins" set password ENC SH2qR4eenfT6qoqMt+bD3ic53i6tj7R31IeEh8bb6XJrCR44rtBM9tHju4Zo9A= next end

 

 

What is your config ?

 

kind regards,

Tomas

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

AtiT
Valued Contributor

Hello,

 

This is my config:

 

# get sys status | grep build Version: FortiGate-80D v5.6.3,build1547,171204 (GA)

 

config user ldap edit "LAB" set server "192.168.221.10" set secondary-server "192.168.222.10" set cnid "sAMAccountName" set dn "ou=lab,dc=lab,dc=gts,dc=cz" set type regular set username "administrator@lab.gts.cz" set password ENC 3gXQSQKut2Tn5dPpXZjx9cMoUJNyNFOuJvgEYwAWvmpIQ6Dlfs1J+IVi1obbsO6LoburGJMcveexLBBqXUB5HdUHr71ldKXxSWR0MEsugzJZQpzFFNVK5hUSENaShXmWyn6sEuxTvpG4Lqo8P+lgfmnUkFYGh9aQdMIcu3W/SujGP4Em2z/RENXttVW6WuOjq28NwQ== set secure ldaps set ca-cert "CA_Cert_3" set port 636 set password-expiry-warning enable set password-renewal enable next end

 

config user group edit "fwadminsldap" set member "LAB" config match edit 1 set server-name "LAB" set group-name "CN=fwadminsldap,OU=Users,OU=LAB,DC=lab,DC=gts,DC=cz" next end next end

 

config system admin edit "LDAPadmins" set remote-auth enable set accprofile "super_admin" set vdom "root" set wildcard enable set remote-group "fwadminsldap" next end

 

 

I can see that in your admin config the wildcard option is missing. It means that the admin "test" with the password stored in LDAP will be authenticated. This is not our case. (But it not worked for me either - the login was successful but the FGT showed me the login page again.)

 

 

The authd and fnband debug shows this:

 

[2127] handle_req-Rcvd auth req 825730477 for fwadmin in fwadminsldap opt=00014001 prot=10 [355] __compose_group_list_from_req-Group 'fwadminsldap' [605] fnbamd_pop3_start-fwadmin [340] radius_start-Didn't find radius servers (0) [701] auth_tac_plus_start-Didn't find tac_plus servers (0) [871] resolve_ldap_FQDN-Resolved address 192.168.221.10, result 192.168.221.10 [871] resolve_ldap_FQDN-Resolved address 192.168.222.10, result 192.168.222.10 [1147] build_search_base-search base is: ou=lab,dc=lab,dc=gts,dc=cz

[1267] fnbamd_ldap_init-search filter is: sAMAccountName=fwadmin

[492] create_auth_session-Total 1 server(s) to try [263] start_search_dn-base:'ou=lab,dc=lab,dc=gts,dc=cz' filter:sAMAccountName=fwadmin

[1653] fnbamd_ldap_get_result-Going to SEARCH state [2832] auth_ldap_result-Continue pending for req 825730477 [296] get_all_dn-Found DN 1:CN=fwadmin,OU=Users,OU=LAB,DC=lab,DC=gts,DC=cz

[310] get_all_dn-Found 1 DN's [344] start_next_dn_bind-Trying DN 1:CN=fwadmin,OU=Users,OU=LAB,DC=lab,DC=gts,DC=cz [1701] fnbamd_ldap_get_result-Going to USERBIND state [2832] auth_ldap_result-Continue pending for req 825730477 [570] start_user_attrs_lookup-Adding attr 'memberOf' [591] start_user_attrs_lookup-base:'CN=fwadmin,OU=Users,OU=LAB,DC=lab,DC=gts,DC=cz' filter:cn=*

[1757] fnbamd_ldap_get_result-Entering CHKUSERATTRS state [2832] auth_ldap_result-Continue pending for req 825730477 [793] get_member_of_groups-Get the memberOf groups. [828] get_member_of_groups- attr='memberOf', found 1 values [91] ldap_grp_list_add-added CN=fwadminsldap,OU=Users,OU=LAB,DC=lab,DC=gts,DC=cz [837] get_member_of_groups-val[0]='CN=fwadminsldap,OU=Users,OU=LAB,DC=lab,DC=gts,DC=cz' [626] start_primary_group_lookup-starting check... [630] start_primary_group_lookup-number of sub auths 5 [648] start_primary_group_lookup-base:'ou=lab,dc=lab,dc=gts,dc=cz' filter:(&(objectclass=group)(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\5b\93\7a\51\bb\78\68\5c\bf\c4\1a\88\01\02\00\00))

[1780] fnbamd_ldap_get_result-Entering CHKPRIMARYGRP state [2832] auth_ldap_result-Continue pending for req 825730477 [765] get_primary_groups- [1814] fnbamd_ldap_get_result-Auth accepted [1925] fnbamd_ldap_get_result-Going to DONE state res=0 [146] __ldap_copy_grp_list-copied CN=fwadminsldap,OU=Users,OU=LAB,DC=lab,DC=gts,DC=cz [2738] fnbamd_auth_poll_ldap-Result for ldap svr 192.168.221.10 is SUCCESS [2753] fnbamd_auth_poll_ldap-Passed group matching [943] find_matched_usr_grps-Group 'fwadminsldap' passed group matching [944] find_matched_usr_grps-Add matched group 'fwadminsldap'(12) [182] fnbamd_comm_send_result-Sending result 0 (error 0, nid 0) for req 825730477 [637] destroy_auth_session-delete session 825730477 [53] ldap_grp_list_del_all-Del CN=fwadminsldap,OU=Users,OU=LAB,DC=lab,DC=gts,DC=cz

 

====== here I tried to change the password - but no success ======= [2530] handle_req-Rcvd 8 req [928] fnbamd_cfg_get_radius_acct_servers-Error finding rad server LAB [365] fnbamd_acct_start_STOP-Error getting radius server [1345] create_acct_session-Error start acct type 8 [2544] handle_req-Error creating acct session 8

------ it seems to me that it tries to change the password via RADIUS server. Probably LDAP is not supported?

 

 

 

AtiT

AtiT
xsilver_FTNT

Ahaaa .. wildcard admin which has no backup password .. got it !

That's actually a bug 0294898 in 5.6.3 which is supposed to be fixed in 5.6.4 and 6.0.0

And the workaround is simple:

 

config system admin

edit "LDAPadmins"

unset wildcard

set password someWeryRandomAndStrongPaSsword

set wildcard enable

end

 

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

AtiT
Valued Contributor

This workaround fixed the issue. Thank you :)

 

AtiT

AtiT
Elthon_Abreu

Tomas (xsilver),

 

That workaround is perfect.

 

Thank you so so much!

 

Cheers,

Elthon

Elthon Abreu FCNSA v5

Elthon Abreu FCNSA v5
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors