Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
DerekWSmall
New Contributor II

Question about Split-Task VDOMs and Radius for admin access

I've been playing around with Split-Task VDOMs, and there are a few peculiarities I was hoping Fortinet could shine some light on.

 

In Split-Task VDOM mode, there are three config modes, Global (for all VDOMS) and one for traffic (FG-traffic) and one for management (root).  The only config mode that provides the ability to configure admin users is Global, however that page in the GUI lacks the ability to assign users to one or more VDOMS, so admin users seem to only be able to configured as global admins.  This seems contrary to one of the intended purposes of using multiple VDOMs.  Is this because I configured Split-task VDOM and not Multi-VDOM mode?  With Multi-VDOM mode do you define users in each VDOM or in the Global config mode and then assign them to one or more VDOMs.

 

The part that is more of a problem is I no longer have access to configure remote authentication like Radius from the GUI.  If I go to the CLI, and the root VDOM I can see my radius servers which I configured prior to configuring split-task VDOM mode, but why is there no config section for Radius visible in the GUI for either the global context or the root VDOM for administrative users?  It seems like there should be a Radius section in the Global config context since that is where you define admin users.

 

I'm running 6.4.9 FortiOS, but I saw the same behavior with FortiOS 6.2.8 as well.  I have not tried this with 7.0 or 7.2.

 

 

Derek Small
Derek Small
3 REPLIES 3
Yurisk
Valued Contributor

Just a side note, not an answer to your questions, the Split Task mode was discontinued in the FortiOS 7.2, and will no longer be available. 

BTW, yes, in multi-VDOM mode you create admin users in the Global context, then assign 

them to the specific VDOM.

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
DerekWSmall
New Contributor II

On a similar note, does anyone know how to recover from this?  I'm trying to switch back to a single VDOM and it's REALLY NOT EASY!!!.  They should warn you in the manual, "This will jack up your config, you WILL spend hours trying to recover from it, and (sshh.. we aren't telling you how to recover from enabling Split-task VDOM).  

Derek Small
Derek Small
Yurisk
Valued Contributor

I haven't done it myself, as never used Split thing at all, but if I understand the docs correct - you do not recover from it (see below), you just move on: setting management VDOM as administrative, and the traffic as traffic. https://docs.fortinet.com/document/fortigate/6.4.0/cli-reference/1620/system-global search for the vdom-mode.

 

"When split-task VDOM mode is enabled, all current management configuration is assigned to the root VDOM, and all non-management settings, such as firewall policies and security profiles, are deleted." 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Labels
Top Kudoed Authors