Fortinet white logo
Fortinet white logo

Administration Guide

Configuring wildcard admin accounts

Configuring wildcard admin accounts

To avoid setting up individual admin accounts in FortiOS, you can configure an admin account with the wildcard option enabled, allowing multiple remote admin accounts to match one local admin account. This way, multiple LDAP admin accounts can use one FortiOS admin account.

Benefits include:

  • Fast configuration of the FortiOS admin account to work with your LDAP network, saving effort and avoiding potential errors incurred when setting up multiple admin accounts
  • Reduced ongoing maintenance. As long as LDAP users belong to the same group and you do not modify the wildcard admin account in FortiOS, you do not need to configure changes on the LDAP accounts. If you add or remove a user from the LDAP group, you do not need to perform changes in FortiOS.

Potential issues include:

  • Multiple users may be logged in to the same account simultaneously. This may cause issues if both users make changes simultaneously.
  • Security is reduced since multiple users have login access to the same account, as opposed to an account for each user.

Wildcard admin configuration also applies to RADIUS. If configuring for RADIUS, configure the RADIUS server and RADIUS user group instead of LDAP. When using the GUI, wildcard admin is the only remote admin account that does not require you to enter a password on account creation. That password is normally used when the remote authentication server is unavailable during authentication.

This example uses default values where possible. If a specific value is not mentioned, the example sets it to its default value.

Caution

When configuring an LDAP connection to an Active Directory server, an administrator must provide Active Directory user credentials. To secure this connection, use LDAPS on both the Active Directory server and FortiGate. See Configuring an LDAP server and Configuring client certificate authentication on the LDAP server.

To secure RADIUS connections, consider using RADSEC over TLS. See Configuring a RADSEC client.

Tooltip

You can configure an admin account in Active Directory for LDAP authentication to allow an admin to perform lookups and reset passwords without being a member of the Account Operators or Domain Administrators built-in groups. See Configuring least privileges for LDAP admin account authentication in Active Directory.

To configure the LDAP server:

The important parts of this configuration are the username and group lines. The username is the domain administrator account. The group binding allows only the GRP group access.

This example uses an example domain name. Configure as appropriate for your own network.

config user ldap

edit "ldap_server"

set server "192.168.201.3"

set cnid "sAMAccountName"

set dn "DC=example,DC=com,DC=au"

set type regular

set username "CN=Administrator,CN=Users,DC=example,DC=COM”

set password *

set group-member-check group-object

set group-object-filter (&(objectcategory=group)member="CN=GRP,OU=training,DC=example,DC=COM"))

next

end

To configure the user group and add the LDAP server:

config user group

edit "ldap_grp"

set member "ldap_server"

config match

edit 1

set server-name "ldap_server"

set group-name "CN=GRP,OU=training,DC=example,DC=COM"

next

end

next

end

end

end

end

To configure the wildcard admin account:

config system admin

edit "test"

set remote-auth enable

set accprofile "super_admin"

set wildcard enable

set remote-group "ldap_grp"

next

end

Configuring wildcard admin accounts

Configuring wildcard admin accounts

To avoid setting up individual admin accounts in FortiOS, you can configure an admin account with the wildcard option enabled, allowing multiple remote admin accounts to match one local admin account. This way, multiple LDAP admin accounts can use one FortiOS admin account.

Benefits include:

  • Fast configuration of the FortiOS admin account to work with your LDAP network, saving effort and avoiding potential errors incurred when setting up multiple admin accounts
  • Reduced ongoing maintenance. As long as LDAP users belong to the same group and you do not modify the wildcard admin account in FortiOS, you do not need to configure changes on the LDAP accounts. If you add or remove a user from the LDAP group, you do not need to perform changes in FortiOS.

Potential issues include:

  • Multiple users may be logged in to the same account simultaneously. This may cause issues if both users make changes simultaneously.
  • Security is reduced since multiple users have login access to the same account, as opposed to an account for each user.

Wildcard admin configuration also applies to RADIUS. If configuring for RADIUS, configure the RADIUS server and RADIUS user group instead of LDAP. When using the GUI, wildcard admin is the only remote admin account that does not require you to enter a password on account creation. That password is normally used when the remote authentication server is unavailable during authentication.

This example uses default values where possible. If a specific value is not mentioned, the example sets it to its default value.

Caution

When configuring an LDAP connection to an Active Directory server, an administrator must provide Active Directory user credentials. To secure this connection, use LDAPS on both the Active Directory server and FortiGate. See Configuring an LDAP server and Configuring client certificate authentication on the LDAP server.

To secure RADIUS connections, consider using RADSEC over TLS. See Configuring a RADSEC client.

Tooltip

You can configure an admin account in Active Directory for LDAP authentication to allow an admin to perform lookups and reset passwords without being a member of the Account Operators or Domain Administrators built-in groups. See Configuring least privileges for LDAP admin account authentication in Active Directory.

To configure the LDAP server:

The important parts of this configuration are the username and group lines. The username is the domain administrator account. The group binding allows only the GRP group access.

This example uses an example domain name. Configure as appropriate for your own network.

config user ldap

edit "ldap_server"

set server "192.168.201.3"

set cnid "sAMAccountName"

set dn "DC=example,DC=com,DC=au"

set type regular

set username "CN=Administrator,CN=Users,DC=example,DC=COM”

set password *

set group-member-check group-object

set group-object-filter (&(objectcategory=group)member="CN=GRP,OU=training,DC=example,DC=COM"))

next

end

To configure the user group and add the LDAP server:

config user group

edit "ldap_grp"

set member "ldap_server"

config match

edit 1

set server-name "ldap_server"

set group-name "CN=GRP,OU=training,DC=example,DC=COM"

next

end

next

end

end

end

end

To configure the wildcard admin account:

config system admin

edit "test"

set remote-auth enable

set accprofile "super_admin"

set wildcard enable

set remote-group "ldap_grp"

next

end