Configuring RADIUS administrator accounts
You may want to configure administrator authentication using RADIUS. First create a user group. Once the user group is defined (and the appropriate settings are configured on your RADIUS server), you can create a RADIUS administrative user.
To create a user group:
- Go to User & Authentication > User Groups, and click +Create New.
- Set Name to Admin.
- Set Type to Firewall.
- Add a remote group:
- Click Add. The Add Group Match pane is displayed.
- Set Remote Server to RADIUS.
- Set Groups to Specify.
- Enter FirewallAdmin.
- Click OK. The remote group is displayed.
- Click OK to save the user group.
To create a RADIUS administrator:
- Go to System > Administrators, and click Create New > Administrator.
- Enter a name, such as FWAdmin, and select Match a user on a remote server group.
- Enter a Backup Password. This password is only used when the FortiGate cannot connect to the RADIUS server.
- Set Administrator profile to super_admin.
- Set Remote User Group to Admin.
- Enable Two-factor Authentication.
Use caution when implementing MFA on all administrator accounts. If you are unable to provide the token code for all accounts, you may have to reset your FortiGate, and reload your configuration from backup.
As a precaution, consider creating an administrative account with a long and complex password. Write down the password, and keep it in a secure location. Then only use the password if you are locked out from administrator accounts that use MFA.
- Enable Restrict login to trusted hosts.
- Click OK.