- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- LDAP Admin Login to FGT - Change Default Password ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LDAP Admin Login to FGT - Change Default Password Request
Hello.
We have a problem on FortiOS 5.6.3 with LDAP admin accounts. When the admin tries to login into the firewall the login is accepted but a password change is requested:
This Account is using the default password, it is strongly recommended that you change your password.
Does anyone to know why it is happening?
AtiT
Solved! Go to Solution.
AtiT
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ahaaa .. wildcard admin which has no backup password .. got it !
That's actually a bug 0294898 in 5.6.3 which is supposed to be fixed in 5.6.4 and 6.0.0
And the workaround is simple:
config system admin
edit "LDAPadmins"
unset wildcard
set password someWeryRandomAndStrongPaSsword
set wildcard enable
end
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I thought it's obvious from the message and your logon, but ...
It happens simply because you are using default admin with default "blank" password which is really not a great idea for the firewall.
Anybody who can find out IP/FQDN of your firewall and can access through the port (allowaccess, trusted hosts) is then able to login as Admin and change whatever he/she wants.
As Fortinet decided that this is really bad practice to leave the super admin account unprotected, then that's why you get warning/reminder each logon you do without password set.
Best regards,
Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Thanks for the update.
But it is not the case. The account has a regular password, not blank.
We have a customer with the same problem and I was able to replicate the issue in the lab.
AtiT
AtiT
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I did quick retest and was not able to reproduce the issue.
Once I have used the button to change the password for default "admin" account I have no more warnings.
My setup is as bellow:
- Version: FortiGate-VM64 v5.6.3,build1547,171204 (GA)
config user ldap edit "LDAP_ALFA" set server "10.109.19.88" set cnid "cn" set dn "dc=alfa,dc=xsilver,dc=org" set type regular set username "administrator@alfa.xsilver.org" set password ENC Y2fC2kVGd0h...cut... next end
config user group edit "remote-admins" set member "LDAP_ALFA" next end
config system admin edit "admin" set accprofile "super_admin" set vdom "root" set password ENC SH2ImCGhgpKr330gEBA/Lh62cWD7MhkCkcFva0Nz8sSnJ+zyHxP76cppL3RZQc= next edit "test" set remote-auth enable set accprofile "super_admin" set vdom "root" set remote-group "remote-admins" set password ENC SH2qR4eenfT6qoqMt+bD3ic53i6tj7R31IeEh8bb6XJrCR44rtBM9tHju4Zo9A= next end
What is your config ?
kind regards,
Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
This is my config:
# get sys status | grep build Version: FortiGate-80D v5.6.3,build1547,171204 (GA)
config user ldap edit "LAB" set server "192.168.221.10" set secondary-server "192.168.222.10" set cnid "sAMAccountName" set dn "ou=lab,dc=lab,dc=gts,dc=cz" set type regular set username "administrator@lab.gts.cz" set password ENC 3gXQSQKut2Tn5dPpXZjx9cMoUJNyNFOuJvgEYwAWvmpIQ6Dlfs1J+IVi1obbsO6LoburGJMcveexLBBqXUB5HdUHr71ldKXxSWR0MEsugzJZQpzFFNVK5hUSENaShXmWyn6sEuxTvpG4Lqo8P+lgfmnUkFYGh9aQdMIcu3W/SujGP4Em2z/RENXttVW6WuOjq28NwQ== set secure ldaps set ca-cert "CA_Cert_3" set port 636 set password-expiry-warning enable set password-renewal enable next end
config user group edit "fwadminsldap" set member "LAB" config match edit 1 set server-name "LAB" set group-name "CN=fwadminsldap,OU=Users,OU=LAB,DC=lab,DC=gts,DC=cz" next end next end
config system admin edit "LDAPadmins" set remote-auth enable set accprofile "super_admin" set vdom "root" set wildcard enable set remote-group "fwadminsldap" next end
I can see that in your admin config the wildcard option is missing. It means that the admin "test" with the password stored in LDAP will be authenticated. This is not our case. (But it not worked for me either - the login was successful but the FGT showed me the login page again.)
The authd and fnband debug shows this:
[2127] handle_req-Rcvd auth req 825730477 for fwadmin in fwadminsldap opt=00014001 prot=10 [355] __compose_group_list_from_req-Group 'fwadminsldap' [605] fnbamd_pop3_start-fwadmin [340] radius_start-Didn't find radius servers (0) [701] auth_tac_plus_start-Didn't find tac_plus servers (0) [871] resolve_ldap_FQDN-Resolved address 192.168.221.10, result 192.168.221.10 [871] resolve_ldap_FQDN-Resolved address 192.168.222.10, result 192.168.222.10 [1147] build_search_base-search base is: ou=lab,dc=lab,dc=gts,dc=cz
[1267] fnbamd_ldap_init-search filter is: sAMAccountName=fwadmin
[492] create_auth_session-Total 1 server(s) to try [263] start_search_dn-base:'ou=lab,dc=lab,dc=gts,dc=cz' filter:sAMAccountName=fwadmin
[1653] fnbamd_ldap_get_result-Going to SEARCH state [2832] auth_ldap_result-Continue pending for req 825730477 [296] get_all_dn-Found DN 1:CN=fwadmin,OU=Users,OU=LAB,DC=lab,DC=gts,DC=cz
[310] get_all_dn-Found 1 DN's [344] start_next_dn_bind-Trying DN 1:CN=fwadmin,OU=Users,OU=LAB,DC=lab,DC=gts,DC=cz [1701] fnbamd_ldap_get_result-Going to USERBIND state [2832] auth_ldap_result-Continue pending for req 825730477 [570] start_user_attrs_lookup-Adding attr 'memberOf' [591] start_user_attrs_lookup-base:'CN=fwadmin,OU=Users,OU=LAB,DC=lab,DC=gts,DC=cz' filter:cn=*
[1757] fnbamd_ldap_get_result-Entering CHKUSERATTRS state [2832] auth_ldap_result-Continue pending for req 825730477 [793] get_member_of_groups-Get the memberOf groups. [828] get_member_of_groups- attr='memberOf', found 1 values [91] ldap_grp_list_add-added CN=fwadminsldap,OU=Users,OU=LAB,DC=lab,DC=gts,DC=cz [837] get_member_of_groups-val[0]='CN=fwadminsldap,OU=Users,OU=LAB,DC=lab,DC=gts,DC=cz' [626] start_primary_group_lookup-starting check... [630] start_primary_group_lookup-number of sub auths 5 [648] start_primary_group_lookup-base:'ou=lab,dc=lab,dc=gts,dc=cz' filter:(&(objectclass=group)(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\5b\93\7a\51\bb\78\68\5c\bf\c4\1a\88\01\02\00\00))
[1780] fnbamd_ldap_get_result-Entering CHKPRIMARYGRP state [2832] auth_ldap_result-Continue pending for req 825730477 [765] get_primary_groups- [1814] fnbamd_ldap_get_result-Auth accepted [1925] fnbamd_ldap_get_result-Going to DONE state res=0 [146] __ldap_copy_grp_list-copied CN=fwadminsldap,OU=Users,OU=LAB,DC=lab,DC=gts,DC=cz [2738] fnbamd_auth_poll_ldap-Result for ldap svr 192.168.221.10 is SUCCESS [2753] fnbamd_auth_poll_ldap-Passed group matching [943] find_matched_usr_grps-Group 'fwadminsldap' passed group matching [944] find_matched_usr_grps-Add matched group 'fwadminsldap'(12) [182] fnbamd_comm_send_result-Sending result 0 (error 0, nid 0) for req 825730477 [637] destroy_auth_session-delete session 825730477 [53] ldap_grp_list_del_all-Del CN=fwadminsldap,OU=Users,OU=LAB,DC=lab,DC=gts,DC=cz
====== here I tried to change the password - but no success ======= [2530] handle_req-Rcvd 8 req [928] fnbamd_cfg_get_radius_acct_servers-Error finding rad server LAB [365] fnbamd_acct_start_STOP-Error getting radius server [1345] create_acct_session-Error start acct type 8 [2544] handle_req-Error creating acct session 8
------ it seems to me that it tries to change the password via RADIUS server. Probably LDAP is not supported?
AtiT
AtiT
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ahaaa .. wildcard admin which has no backup password .. got it !
That's actually a bug 0294898 in 5.6.3 which is supposed to be fixed in 5.6.4 and 6.0.0
And the workaround is simple:
config system admin
edit "LDAPadmins"
unset wildcard
set password someWeryRandomAndStrongPaSsword
set wildcard enable
end
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This workaround fixed the issue. Thank you :)
AtiT
AtiT
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tomas (xsilver),
That workaround is perfect.
Thank you so so much!
Cheers,
Elthon
Elthon Abreu FCNSA v5
Elthon Abreu FCNSA v5
Related Posts
Labels
-
FortiGate
6,515 -
FortiClient
1,300 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
262 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
83 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.