Version:

Version:


Table of Contents

New Features

Download PDF
Copy Link

Improve admin-restrict-local handling of multiple authentication servers

Under config system global, when the admin-restrict-local setting is enabled, local administrators cannot be used until all remote authentication servers are down. The FortiGate now only checks if all remote authentication servers applied in system admin are down, instead of all remote servers configured on the FortiGate, before allowing local administrators to log in.

To configure remote authentication groups and apply remote authentication to system administrative users:
  1. Configure multiple remote authentication servers (this example uses one RADIUS and one LDAP server):
    config user radius
        edit "1006290-radius"
            set server "10.1.100.55"
            set secret **********
        next
    end
    config user ldap
        edit "1006290-ldap"
            set server "172.16.200.55"
            set cnid "cn"
            set dn "dc=qa,dc=fortinet,dc=com"
            set type regular
            set username "cn=admin,dc=qa,dc=fortinet,dc=com"
            set password **********
        next
    end
  2. Configure the user groups:
    config user group
        edit "radius-group"
            set member "1006290-radius"
        next
        edit "ldap-group"
            set member "1006290-ldap"
        next
    end
  3. Configure an administrative user with the RADIUS server:
    config system admin
        edit "1006290-radius-admin"
            set remote-auth enable
            set accprofile "prof_admin"
            set vdom "vdom1"
            set wildcard enable
            set remote-group "radius-group"
        next
    end
To restrict local administrator access until the remote authentication server is down:
  1. Enable admin-restrict-local:
    config system global
        set admin-restrict-local enable
    end
  2. Get the remote and local administrators to log in to the FortiGate with SSH. The remote administrator is able to log in, but the local administrator is unable to log in:
    • Remote:

      root@PC1:~# ssh mschap@10.1.100.1
      mschap@10.1.100.1's password:
      FortiGate-101F $ get system status
      Version: FortiGate-101F v7.2.0, ...
      
    • Local:

      root@PC1:~# ssh admin@10.1.100.1
      admin@10.1.100.1's password:
      Permission denied, please try again.
  3. Shut down the RADIUS server and keep the LDAP server running. The local administrator is now able to log in to the FortiGate:
    root@PC1:~# ssh admin@10.1.100.1
    admin@10.1.100.1's password:
    FortiGate-101F # get system status
    Version: FortiGate-101F v7.2.0, ...

Improve admin-restrict-local handling of multiple authentication servers

Under config system global, when the admin-restrict-local setting is enabled, local administrators cannot be used until all remote authentication servers are down. The FortiGate now only checks if all remote authentication servers applied in system admin are down, instead of all remote servers configured on the FortiGate, before allowing local administrators to log in.

To configure remote authentication groups and apply remote authentication to system administrative users:
  1. Configure multiple remote authentication servers (this example uses one RADIUS and one LDAP server):
    config user radius
        edit "1006290-radius"
            set server "10.1.100.55"
            set secret **********
        next
    end
    config user ldap
        edit "1006290-ldap"
            set server "172.16.200.55"
            set cnid "cn"
            set dn "dc=qa,dc=fortinet,dc=com"
            set type regular
            set username "cn=admin,dc=qa,dc=fortinet,dc=com"
            set password **********
        next
    end
  2. Configure the user groups:
    config user group
        edit "radius-group"
            set member "1006290-radius"
        next
        edit "ldap-group"
            set member "1006290-ldap"
        next
    end
  3. Configure an administrative user with the RADIUS server:
    config system admin
        edit "1006290-radius-admin"
            set remote-auth enable
            set accprofile "prof_admin"
            set vdom "vdom1"
            set wildcard enable
            set remote-group "radius-group"
        next
    end
To restrict local administrator access until the remote authentication server is down:
  1. Enable admin-restrict-local:
    config system global
        set admin-restrict-local enable
    end
  2. Get the remote and local administrators to log in to the FortiGate with SSH. The remote administrator is able to log in, but the local administrator is unable to log in:
    • Remote:

      root@PC1:~# ssh mschap@10.1.100.1
      mschap@10.1.100.1's password:
      FortiGate-101F $ get system status
      Version: FortiGate-101F v7.2.0, ...
      
    • Local:

      root@PC1:~# ssh admin@10.1.100.1
      admin@10.1.100.1's password:
      Permission denied, please try again.
  3. Shut down the RADIUS server and keep the LDAP server running. The local administrator is now able to log in to the FortiGate:
    root@PC1:~# ssh admin@10.1.100.1
    admin@10.1.100.1's password:
    FortiGate-101F # get system status
    Version: FortiGate-101F v7.2.0, ...