I have five vdoms on 1500D unit and I need to add different administrators into each vdom for management via radius and wildcard password. Is this possible with FortiOS 5.2?
I added radius server as the authentication server and then created user group to include that server.
I then go to Global->Admin->Administrators to create new administrator. On the page,
1. I entered administrator username, which matches the radius record
2. I Selected Remote as the Type
3. I checked Wildcard
4. I selected profile as prof_admin
5. I selected corresponding VDOM and User group.
All good, right? Then I go ahead to create a second administrator for the same vdom, I cannot check the Wildcard box...
Is this a bug OR it is the limitation?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I was confused by the Wildcard option when creating administrator accounts for each vdom via Radius. I think the documents should clearly say “Administrator field on Web UI when creating the administrator does not need to match the username when using Remote Radius server and wildcard enabled”. Also I thought that Wildcard option is only there so I do not have to specify the radius password when adding to Fortigate…
I was confused by the Wildcard option when creating administrator accounts for each vdom via Radius. I think the documents should clearly say “Administrator field on Web UI when creating the administrator does not need to match the username when using Remote Radius server and wildcard enabled”. Also I thought that Wildcard option is only there so I do not have to specify the radius password when adding to Fortigate…
Did you find a way to select the wildcard field for multiple administrator groups? I have it selected for my super_admin group, but I need to create a tier 1 admin group with limited privileges and I cannot figure out how to enable the wildcard.
Thanks
I'm still interested with an answer to this question.
Thanks.
Why this is mark as solved? Anyone found a solution for creating multiple wildcard admin accounts ?
I mistakenly marked the first reply as helpful, which it was not. Sadly my post are just as clueless. I cannot understand how they have not implemented the ability to use more than 1 LDAP/RADIUS wildcard admin for granular access. Right now I'm stuck with using named users for Superadmin access.
Sadly this is not a bug
1: you can't have multiple "*" admin accounts in just one vdom
2: you can make multiple AAA servers ( TACACS RADIUS LDAP ) and have a auth-server per-vdom
3: You can craft multiple "*" ( one per vdom ) with a unique AAA server for that vdom with different keys for example
FWSJCCA01 (root) # show user tacacs+ config user tacacs+ edit "AAAroot" set server "10.4.2.2" set key Ms3edj*ikl; set authorization enable set source-ip 10.1.8.100 next end FWSJCCA01 (root) # next FWSJCCA01 (vdom) # edit CUST6 current vf=CUST6:7 FWSJCCA01 (CUST6) # show user tacacs+ config user tacacs+ edit "AAAntesp" set server "192.168.10.11" set key mybasKed set authorization enable set source-ip 192.168.19.100 next end
and in each vdom you craft a wildcard and ensure the user_group is configured in that SPECIFIC vdom
edit "wildcard" set remote-auth enable set accprofile "super_admin" set comments "TAC_AAA_ACS" set vdom "CUST6" set wildcard enable set remote-group "CUST6GRP" set accprofile-override enable next
What are you trying to do?
PCNSE
NSE
StrongSwan
Hi,
I'm trying to use two different AD groups for granual access. One group with admin rights and one read only analyst group. Both these groups needs access to all VDOMs.
I'm also trying to do the same on fortianalyzer, but the same problem exists there.
andygfunk wrote:Right now I'm stuck with using named users for Superadmin access.
You can use RADIUS attributes "Fortinet-Access-Profile" profile name by user
http://kb.fortinet.com/kb/documentLink.do?externalID=13837
Regards,
Paulo R.
Regards, Paulo Raponi
You can map group membership in tacacs and set accprofiles also. This is how we do it we have accessprofiles for level1 level2 level3 with various access ( RO RW+RO and RW ) and when the user is checked against MS/AD t he grioup query is given to the cisco ACS that set the accessprofile for the TACACS_client ( FGT or FAZ )
It's quite simple and one single "*" wildcard account exists you don't need multiple authenticate servers or groups.
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.