Remote authentication for administrators

Administrators can use remote authentication, such as LDAP, to connect to the FortiGate.

Setting up remote authentication for administrators includes the following steps:

  1. Configure the LDAP server
  2. Add the LDAP server to a user group
  3. Configure the administrator account

Configure the LDAP server

To configure the LDAP server in the GUI:
  1. Go to User & Authentication > LDAP Servers and select Create New.
  2. Enter the server Name and Server IP/Name.
  3. Enter the Common Name Identifier and Distinguished Name.
  4. Set the Bind Type to Regular and enter the Username and Password.
  5. Click OK.
To configure the LDAP server in the CLI:
config user ldap
  edit <ldap_server_name>
    set server <server_ip> 
    set cnid "cn" 
    set dn "dc=XYZ,dc=fortinet,dc=COM" 
    set type regular 
    set username "cn=Administrator,dc=XYA, dc=COM" 
    set password <password> 
  next 
end

Add the LDAP server to a user group

After configuring the LDAP server, create a user group that includes that LDAP server.

To create a user group in the GUI:
  1. Go to User & Authentication > User Groups and select Create New.
  2. Enter a Name for the group.
  3. In the Remote groups section, select Create New.
  4. Select the Remote Server from the dropdown list.
  5. Click OK.
To create a user group in the CLI:
config user group
  edit <Group_name>
    set member "ldap_server_name"
  next
end

Configure the administrator account

After configuring the LDAP server and adding it to a user group, create a new administrator. For this administrator, instead of entering a password, use the new user group and the wildcard option for authentication.

To create an administrator in the GUI:
  1. Go to System > Administrators.
  2. Select Create New > Administrator.
  3. Specify the Username.
  4. Set Type to Match a user on a remote server group.
  5. In Remote User Group, select the user group you created.
  6. Select Wildcard.

    The