Fortinet black logo

Administration Guide

Administrators

Copy Link
Copy Doc ID 0f66c6af-cee6-11eb-97f7-00505692583a:288914
Download PDF

Administrators

You can use the default “admin” account to configure administrator accounts, adjust system settings, upgrade firmware, create backup files, and configure security features.

This section covers the following topics:

Setting the administrator password

By default, your system has an administrator account set up with the user name admin and no password. On your first login to the GUI or CLI of a new FortiSwitch unit, you must create an admin password. You are also forced to create an admin password after resetting the FortiSwitch configuration to the factory default settings with the execute factory reset or execute factoryresetfull command.

Because FortiSwitchOS 7.0.0 changed from SHA1 to SHA256 encryption for admin passwords, you need to convert the format of the admin password before downgrading from FortiSwitchOS 7.0.0 and later to an earlier FortiSwitchOS version.

caution icon If you do not convert the admin password before downgrading from FortiSwitch 7.0.0 and later, the admin password will not work after the switch reboots with the earlier FortiSwitchOS version.

When upgrading from a FortiSwitchOS version earlier than 7.0.0 to FortiSwitch 7.0.0 or later, the admin password will remain in SHA1 encryption.

The encrypted admin password in FortiSwitchOS 7.0.0 and higher starts with “SH2”, and the encrypted admin password for earlier FortiSwitchOS versions starts with “AK1”.

To convert the format of the admin password in FortiSwitch 7.0.0 and later before downgrading to an earlier FortiSwitchOS version:
  1. Enter the following CLI command to convert the admin password from SHA256 to SHA1 encryption:

    execute system admin account-convert <admin_name>

  2. Downgrade your firmware.
To set the admin password in the GUI:
  1. From the admin menu in the page banner, select Change Password.

  2. Enter the new password in the Password and Confirm Password fields. Passwords can be up to 64 characters in length.
  3. Select Change.

Setting the password retries and lockout time

By default, the system includes a set number of three password retries, allowing the administrator a maximum of three attempts to log into their account before they are locked out for a set amount of time (by default, 60 seconds).

The number of attempts can be set to an alternate value, as well as the default wait time before the administrator can try to enter a password again. You can also change this value to make it more difficult to hack. Both settings are must be configured with the CLI

To configure the lockout options:

config system global

set admin-lockout-threshold <failed_attempts>

set admin-lockout-duration <seconds>

end

For example, to set the lockout threshold to one attempt and the duration before the administrator can try again to log in to five minutes, enter these commands:

config system global

set admin-lockout-threshold 1

set admin-lockout-duration 300

end

Using PKI

You can use Public Key Infrastructure (PKI) to require administrators to provide a valid certificate when logging in with HTTPS.

Use the following steps to configure PKI:

  1. Configure a peer user.
  2. Add the peer user to a user group.
  3. Configure the administrator account.
  4. Configure the global settings.
To configure a peer user:

config user peer

edit <peer_name>

set ca <name_of_certificate_authority>

next

end

For example:

config user peer

edit pki_peer_1

set ca Fortinet_CA

next

end

To add the peer user to a user group:

config user group

edit <group_name>

set member <peer_name>

next

end

For example:

config user group

edit pki_group_1

set member pki_peer_1

next

end

To configure the administrator account:

config system admin

edit <admin_name>

set peer-auth enable

set peer-group <group_name>

next

end

For example:

config system admin

edit pki_admin_1

set peer-auth enable

set peer-group pki_group_1

next

end

To configure the global settings:

config system gobal

set admin-https-pki-required enable

set clt-cert-req enable

end

Adding administrators

Only the default “admin” account can create a new administrator account. If required, you can add an additional account with read-write access control to add new administrator accounts.

If you log in with an administrator account that does not have the super_admin admin profile, the administrators list will show only the administrators for the current virtual domain.

When adding administrators, you are setting up the administrator’s user account. An administrator account comprises an administrator’s basic settings as well as their access profile. The access profile is a definition of what the administrator is capable of viewing and editing.

Follow one of these procedures to add an administrator.

Using the GUI:
  1. Go to System > Admin > Administrators.
  2. Select Add Administrator.


  3. Enter the administrator name.
  4. Select the type of account. If you select Remote, the system can reference a RADIUS or TACACS+ server.
  5. If you selected Remote, select the User Group the account will access, whether wildcards are accepted, and whether the access profile group can be overridden.
  6. Enter the password for the user. Passwords can be up to 64 characters in length.
  7. Select Add.
Using the CLI:

config system admin

edit <admin_name>

set password <password>

set accprofile <profile_name>

end

Configuring administrative logins

You can configure the RADIUS server to set the access profile. This process uses RADIUS vendor-specific attributes (VSAs) passed to the FortiSwitch unit for authorization. The RADIUS access profile override is mainly used for administrative logins.

Using the GUI:
  1. Go to System > Admin > Administrators.
  2. Select Add Administrator.
  3. Select Remote.

  4. In the Administrator field, enter a name for the RADIUS system administrator.
  5. Select the user group.
  6. Select Wildcard.
  7. Select Accprofile Override.
  8. Select Add.
Using the CLI:

The following code creates a RADIUS-system admin group with accprofile-override enabled:

config system admin

edit "RADIUS_Admins"

set remote-auth enable

set accprofile no_access

set wildcard enable

set remote-group "RADIUS_Admins"

set accprofile-override enable

next

Ensure that the RADIUS server is configured to send the appropriate VSA.

To send an appropriate group membership and access profile, set VSA 1 and VSA 6, as in the following code:

VENDOR fortinet 12356

ATTRIBUTE Fortinet-Group-Name 1 <admin profile>

ATTRIBUTE Fortinet-Access-Profile 6 <access profile>

The value of VSA 1 must match the remote group, and VSA 6 must match a valid access profile.

Administrators

You can use the default “admin” account to configure administrator accounts, adjust system settings, upgrade firmware, create backup files, and configure security features.

This section covers the following topics:

Setting the administrator password

By default, your system has an administrator account set up with the user name admin and no password. On your first login to the GUI or CLI of a new FortiSwitch unit, you must create an admin password. You are also forced to create an admin password after resetting the FortiSwitch configuration to the factory default settings with the execute factory reset or execute factoryresetfull command.

Because FortiSwitchOS 7.0.0 changed from SHA1 to SHA256 encryption for admin passwords, you need to convert the format of the admin password before downgrading from FortiSwitchOS 7.0.0 and later to an earlier FortiSwitchOS version.

caution icon If you do not convert the admin password before downgrading from FortiSwitch 7.0.0 and later, the admin password will not work after the switch reboots with the earlier FortiSwitchOS version.

When upgrading from a FortiSwitchOS version earlier than 7.0.0 to FortiSwitch 7.0.0 or later, the admin password will remain in SHA1 encryption.

The encrypted admin password in FortiSwitchOS 7.0.0 and higher starts with “SH2”, and the encrypted admin password for earlier FortiSwitchOS versions starts with “AK1”.

To convert the format of the admin password in FortiSwitch 7.0.0 and later before downgrading to an earlier FortiSwitchOS version:
  1. Enter the following CLI command to convert the admin password from SHA256 to SHA1 encryption:

    execute system admin account-convert <admin_name>

  2. Downgrade your firmware.
To set the admin password in the GUI:
  1. From the admin menu in the page banner, select Change Password.

  2. Enter the new password in the Password and Confirm Password fields. Passwords can be up to 64 characters in length.
  3. Select Change.

Setting the password retries and lockout time

By default, the system includes a set number of three password retries, allowing the administrator a maximum of three attempts to log into their account before they are locked out for a set amount of time (by default, 60 seconds).

The number of attempts can be set to an alternate value, as well as the default wait time before the administrator can try to enter a password again. You can also change this value to make it more difficult to hack. Both settings are must be configured with the CLI

To configure the lockout options:

config system global

set admin-lockout-threshold <failed_attempts>

set admin-lockout-duration <seconds>

end

For example, to set the lockout threshold to one attempt and the duration before the administrator can try again to log in to five minutes, enter these commands:

config system global

set admin-lockout-threshold 1

set admin-lockout-duration 300

end

Using PKI

You can use Public Key Infrastructure (PKI) to require administrators to provide a valid certificate when logging in with HTTPS.

Use the following steps to configure PKI:

  1. Configure a peer user.
  2. Add the peer user to a user group.
  3. Configure the administrator account.
  4. Configure the global settings.
To configure a peer user:

config user peer

edit <peer_name>

set ca <name_of_certificate_authority>

next

end

For example:

config user peer

edit pki_peer_1

set ca Fortinet_CA

next

end

To add the peer user to a user group:

config user group

edit <group_name>

set member <peer_name>

next

end

For example:

config user group

edit pki_group_1

set member pki_peer_1

next

end

To configure the administrator account:

config system admin

edit <admin_name>

set peer-auth enable

set peer-group <group_name>

next

end

For example:

config system admin

edit pki_admin_1

set peer-auth enable

set peer-group pki_group_1

next

end

To configure the global settings:

config system gobal

set admin-https-pki-required enable

set clt-cert-req enable

end

Adding administrators

Only the default “admin” account can create a new administrator account. If required, you can add an additional account with read-write access control to add new administrator accounts.

If you log in with an administrator account that does not have the super_admin admin profile, the administrators list will show only the administrators for the current virtual domain.

When adding administrators, you are setting up the administrator’s user account. An administrator account comprises an administrator’s basic settings as well as their access profile. The access profile is a definition of what the administrator is capable of viewing and editing.

Follow one of these procedures to add an administrator.

Using the GUI:
  1. Go to System > Admin > Administrators.
  2. Select Add Administrator.


  3. Enter the administrator name.
  4. Select the type of account. If you select Remote, the system can reference a RADIUS or TACACS+ server.
  5. If you selected Remote, select the User Group the account will access, whether wildcards are accepted, and whether the access profile group can be overridden.
  6. Enter the password for the user. Passwords can be up to 64 characters in length.
  7. Select Add.
Using the CLI:

config system admin

edit <admin_name>

set password <password>

set accprofile <profile_name>

end

Configuring administrative logins

You can configure the RADIUS server to set the access profile. This process uses RADIUS vendor-specific attributes (VSAs) passed to the FortiSwitch unit for authorization. The RADIUS access profile override is mainly used for administrative logins.

Using the GUI:
  1. Go to System > Admin > Administrators.
  2. Select Add Administrator.
  3. Select Remote.

  4. In the Administrator field, enter a name for the RADIUS system administrator.
  5. Select the user group.
  6. Select Wildcard.
  7. Select Accprofile Override.
  8. Select Add.
Using the CLI:

The following code creates a RADIUS-system admin group with accprofile-override enabled:

config system admin

edit "RADIUS_Admins"

set remote-auth enable

set accprofile no_access

set wildcard enable

set remote-group "RADIUS_Admins"

set accprofile-override enable

next

Ensure that the RADIUS server is configured to send the appropriate VSA.

To send an appropriate group membership and access profile, set VSA 1 and VSA 6, as in the following code:

VENDOR fortinet 12356

ATTRIBUTE Fortinet-Group-Name 1 <admin profile>

ATTRIBUTE Fortinet-Access-Profile 6 <access profile>

The value of VSA 1 must match the remote group, and VSA 6 must match a valid access profile.