- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
RADIUS Admin logon on FAC
To keep the administrative accounts isolated from users account we are using an additional/2nd FAC in the DMZ. We are looking forward to using an internal FAC to authenticate administrative users logons in the DMZ FAC, but the typical Super-User value in Fortinet-FPC-User-Role/Fortinet-Access-Profile RADIUS VSA isn't working (the user logs as regular/non-administrative one).
Does anyone know what it's necessary to get this working?
Regards,
Felicio Santos.
Felicio Santos, CAPM HP MASE FlexNetwork v1, MCITP 2008 SRV, ENT, ENT Messaging FTNT FCNSA v5 / MCSE NT,2000,2003 MCSA 2000,2003,2008+SEC,Office365 / Network+
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
AFAIK there are no remote admin account types on FAC (as we know them for example from FortiGate remote/wildcard admins).
FAC has local admins defined in Local Users (User Management) with Role=Administrator.
By default those admins do not even has ability to be used and authenticate via RADIUS from outside, so they are completely local into FAC itself.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This should possible if the user is not set to be a FAC Admin as above. Take a look at this integration guide I wrote a while back.
If you follow this process and it still doesn't work, check the RADIUS attributes are being sent by sniffing the RADIUS (you will need to decrypt the RADIUS packets in Wireshark
[ol]
Dr. Carl Windsor Field Chief Technology Officer Fortinet
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks for the reply!
It only worked if created in advance a "remote user" with admin privileges. I was looking to have in the FAC a functionality like a wildcard admin on FGT. Even TAC didn't find out how to make it work, so I will go with the remote user manual creation and look forward if this pops up on a future FAC release.
Regards,
Felicio Santos.
Felicio Santos, CAPM HP MASE FlexNetwork v1, MCITP 2008 SRV, ENT, ENT Messaging FTNT FCNSA v5 / MCSE NT,2000,2003 MCSA 2000,2003,2008+SEC,Office365 / Network+