Fortinet black logo

Configuring authentication for administrators

Copy Link
Copy Doc ID a57c1e0e-7279-11ec-bdf2-fa163e15d75b:417981
Download PDF

Configuring authentication for administrators

To configure authentication for administrators with RADIUS 2FA from FortiAuthenticator, you will first need to create a user group and administrator profile on the FortiGate. The administrator profile should match a user account on the FortiAuthenticator.

Creating user groups

To create a user group:
  1. Go to User & Authentication > User Groups, and select Create New.
  2. Enter a name for the user group, for example RADIUS_Admins.
  3. Select Firewall as the type.
  4. Under Remote Groups, click Add, and select the FortiAuthenticator RADIUS server from the dropdown list. Click OK.
    Note

    Do not add any local users to this policy in Members as this will cause RADIUS authentication to fail.

FortiAuthenticator also supports sending group membership as an AVP. For example, when users configured in the FortiAuthenticator group FGT_Admins authenticate, the AVP Fortinet-Group-Name=FGT_Admins will be sent in the Authentication-Accept packet. This can be used to authorize the user onto the FortiGate by allowing only members of that group.

To create a user group from the CLI:

config user group

edit "RADIUS_Admins"

set member "FortiAuthenticator"

config match

edit 1

set server-name "FortiAuthenticator"

set group-name "RADIUS_Admins"

next

end

next

end

To specify group membership:
  1. In the FortiGate user group:
    1. Double-click on the FortiAuthenticator Remote Group.
    2. Select Specify, and enter a RADIUS attribute group name (example: FGT_Admins).

  2. On FortiAuthenticator, go to Authentication > User Management > User Groups.
  3. Create or edit a Local user group, and add the administrator(s).
  4. Click Add Attribute to add a RADIUS AVP with the following details:
    1. Vendor: Fortinet
    2. Attribute ID: Fortinet-Group-Name
    3. Value: The RADIUS attribute group name (example: FGT_Admins).

RADIUS attributes can also be added directly to user profiles by going to Authentication > User Management > Local Users, selecting a user, and clicking Add Attributes in the RADIUS Attributes menu.

For administrator and sponsor user roles, the RADIUS Attributes field is available only when Sync in HA Load Balancing mode is enabled in Authentication > User Management > Local Users.

Creating administrators

To create a RADIUS administrator with 2FA:
  1. In System > Administrators, click Create New and select Administrator from the dropdown.
  2. In the New Administrator page, enter the following, then click OK.
    1. Username: Enter the administrator's username (example: john.doe).
    2. Type: Match a user on a remote server group.
    3. Backup Password: Enter a backup password which can be used in the event that the RADIUS authentication is unavailable.
    4. Administration Profile: super_admin.
    5. Remote User Group: Select the previously created RADIUS user group (example: RADIUS_Admins).
    Caution

    Do not select two-factor authentication at this point. The two factor authentication is performed external to the FortiGate.

Creating a wildcard administrator account

Wildcard accounts can also be used in order to avoid specifying each user locally. When this option is enabled, any user included in the remote user group will be able to authenticate as an administrator on the FortiGate.

In order for wildcard authentication to function, the selected remote user group must correspond with a user group on the FortiAuthenticator. User groups can be created in the FortiAuthenticator GUI by going to Authentication > User Management > User Groups.

To create a wildcard administrator account:
  1. In System > Administrators, click Create New and select Administrator from the dropdown.
  2. Create a new administrator with a descriptive name.
    The name is for internal purposes only and is not used during authentication.
  3. Select Match all users in a remote server group as the administrator Type.
  4. Choose the Remote User Group previously created.
  5. Select an Administrator Profile, and click OK.

Once you have created the user group and administrator, log into the FortiGate GUI with the newly created RADIUS administrator credentials.

After you have entered your username and password, you will be prompted to add the two-factor authentication PIN from FortiToken. Successful authentication will provide the user with access to the FortiGate, and will generate a login event on the FortiAuthenticator.

To create an administrator from the CLI:

config system admin

edit "Wildcard RADIUS Administrators"

set remote-auth enable

set accprofile "super_admin"

set wildcard enable

set remote-group "RADIUS_Admins"

next

end

Configuring authentication for administrators

To configure authentication for administrators with RADIUS 2FA from FortiAuthenticator, you will first need to create a user group and administrator profile on the FortiGate. The administrator profile should match a user account on the FortiAuthenticator.

Creating user groups

To create a user group:
  1. Go to User & Authentication > User Groups, and select Create New.
  2. Enter a name for the user group, for example RADIUS_Admins.
  3. Select Firewall as the type.
  4. Under Remote Groups, click Add, and select the FortiAuthenticator RADIUS server from the dropdown list. Click OK.
    Note

    Do not add any local users to this policy in Members as this will cause RADIUS authentication to fail.

FortiAuthenticator also supports sending group membership as an AVP. For example, when users configured in the FortiAuthenticator group FGT_Admins authenticate, the AVP Fortinet-Group-Name=FGT_Admins will be sent in the Authentication-Accept packet. This can be used to authorize the user onto the FortiGate by allowing only members of that group.

To create a user group from the CLI:

config user group

edit "RADIUS_Admins"

set member "FortiAuthenticator"

config match

edit 1

set server-name "FortiAuthenticator"

set group-name "RADIUS_Admins"

next

end

next

end

To specify group membership:
  1. In the FortiGate user group:
    1. Double-click on the FortiAuthenticator Remote Group.
    2. Select Specify, and enter a RADIUS attribute group name (example: FGT_Admins).

  2. On FortiAuthenticator, go to Authentication > User Management > User Groups.
  3. Create or edit a Local user group, and add the administrator(s).
  4. Click Add Attribute to add a RADIUS AVP with the following details:
    1. Vendor: Fortinet
    2. Attribute ID: Fortinet-Group-Name
    3. Value: The RADIUS attribute group name (example: FGT_Admins).

RADIUS attributes can also be added directly to user profiles by going to Authentication > User Management > Local Users, selecting a user, and clicking Add Attributes in the RADIUS Attributes menu.

For administrator and sponsor user roles, the RADIUS Attributes field is available only when Sync in HA Load Balancing mode is enabled in Authentication > User Management > Local Users.

Creating administrators

To create a RADIUS administrator with 2FA:
  1. In System > Administrators, click Create New and select Administrator from the dropdown.
  2. In the New Administrator page, enter the following, then click OK.
    1. Username: Enter the administrator's username (example: john.doe).
    2. Type: Match a user on a remote server group.
    3. Backup Password: Enter a backup password which can be used in the event that the RADIUS authentication is unavailable.
    4. Administration Profile: super_admin.
    5. Remote User Group: Select the previously created RADIUS user group (example: RADIUS_Admins).
    Caution

    Do not select two-factor authentication at this point. The two factor authentication is performed external to the FortiGate.

Creating a wildcard administrator account

Wildcard accounts can also be used in order to avoid specifying each user locally. When this option is enabled, any user included in the remote user group will be able to authenticate as an administrator on the FortiGate.

In order for wildcard authentication to function, the selected remote user group must correspond with a user group on the FortiAuthenticator. User groups can be created in the FortiAuthenticator GUI by going to Authentication > User Management > User Groups.

To create a wildcard administrator account:
  1. In System > Administrators, click Create New and select Administrator from the dropdown.
  2. Create a new administrator with a descriptive name.
    The name is for internal purposes only and is not used during authentication.
  3. Select Match all users in a remote server group as the administrator Type.
  4. Choose the Remote User Group previously created.
  5. Select an Administrator Profile, and click OK.

Once you have created the user group and administrator, log into the FortiGate GUI with the newly created RADIUS administrator credentials.

After you have entered your username and password, you will be prompted to add the two-factor authentication PIN from FortiToken. Successful authentication will provide the user with access to the FortiGate, and will generate a login event on the FortiAuthenticator.

To create an administrator from the CLI:

config system admin

edit "Wildcard RADIUS Administrators"

set remote-auth enable

set accprofile "super_admin"

set wildcard enable

set remote-group "RADIUS_Admins"

next

end