Administrators
You can use the default “admin” account to configure administrator accounts, adjust system settings, upgrade firmware, create backup files, and configure security features.
This section covers the following topics:
- Setting the administrator password
- Setting the password retries and lockout time
- Using PKI
- Adding administrators
- Configuring administrative logins
Setting the administrator password
By default, your system has an administrator account set up with the user name admin
and no password. On your first login to the GUI or CLI of a new FortiSwitch unit, you must create an admin password. You are also forced to create an admin password after resetting the FortiSwitch configuration to the factory default settings with the execute factory reset
or execute factoryresetfull
command.
Because FortiSwitchOS 7.0.0 changed from SHA1 to SHA256 encryption for admin passwords, you need to convert the format of the admin password before downgrading from FortiSwitchOS 7.0.0 and later to an earlier FortiSwitchOS version.
If you do not convert the admin password before downgrading from FortiSwitch 7.0.0 and later, the admin password will not work after the switch reboots with the earlier FortiSwitchOS version. |
When upgrading from a FortiSwitchOS version earlier than 7.0.0 to FortiSwitch 7.0.0 or later, the admin password will remain in SHA1 encryption.
The encrypted admin password in FortiSwitchOS 7.0.0 and higher starts with “SH2”, and the encrypted admin password for earlier FortiSwitchOS versions starts with “AK1”.
To convert the format of the admin password in FortiSwitch 7.0.0 and later before downgrading to an earlier FortiSwitchOS version:
- Enter the following CLI command to convert the admin password from SHA256 to SHA1 encryption:
execute system admin account-convert <admin_name>
- Downgrade your firmware.
To set the admin password in the GUI:
- From the admin menu in the page banner, select Change Password.
- Enter the new password in the Password and Confirm Password fields. Passwords can be up to 64 characters in length.
- Select Change.
Setting the password retries and lockout time
By default, the system includes a set number of three password retries, allowing the administrator a maximum of three attempts to log into their account before they are locked out for a set amount of time (by default, 60 seconds).
The number of attempts can be set to an alternate value, as well as the default wait time before the administrator can try to enter a password again. You can also change this value to make it more difficult to hack. Both settings are must be configured with the CLI
To configure the lockout options:
config system global
set admin-lockout-threshold <failed_attempts>
set admin-lockout-duration <seconds>
end
For example, to set the lockout threshold to one attempt and the duration before the administrator can try again to log in to five minutes, enter these commands:
config system global
set admin-lockout-threshold 1
set admin-lockout-duration 300
end
Using PKI
You can use Public Key Infrastructure (PKI) to require administrators to provide a valid certificate when logging in with HTTPS.
Use the following steps to configure PKI:
- Configure a peer user.
- Add the peer user to a user group.
- Configure the administrator account.
- Configure the global settings.
To configure a peer user:
config user peer
edit <peer_name>
set ca <name_of_certificate_authority>
next
end
For example:
config user peer
edit pki_peer_1
set ca Fortinet_CA
next
end
To add the peer user to a user group:
config user group
edit <group_name>
set member <peer_name>
next
end
For example:
config user group
edit pki_group_1
set member pki_peer_1
next
end
To configure the administrator account:
config system admin
edit <admin_name>
set peer-auth enable
set peer-group <group_name>
next
end
For example:
config system admin
edit pki_admin_1
set peer-auth enable
set peer-group pki_group_1
next
end
To configure the global settings:
config system global
set clt-cert-req enable
end
config system web
set https-pki-required enable
end
Adding administrators
Only the default “admin” account can create a new administrator account. If required, you can add an additional account with read-write access control to add new administrator accounts.
If you log in with an administrator account that does not have the super_admin admin profile, the administrators list will show only the administrators for the current virtual domain.
When adding administrators, you are setting up the administrator’s user account. An administrator account comprises an administrator’s basic settings as well as their access profile. The access profile is a definition of what the administrator is capable of viewing and editing.
Only a single administrator with wildcards is supported. |
Follow one of these procedures to add an administrator.
Using the GUI:
- Go to System > Admin > Administrators.
- Select Add Administrator.
- Enter the administrator name.
- Select the type of account. If you select Remote, the system can reference a RADIUS or TACACS+ server.
- If you selected Remote, select the User Group the account will access, whether wildcards are accepted, and whether the access profile group can be overridden.
- Enter the password for the user. Passwords can be up to 64 characters in length.
- Select Add.
Using the CLI:
config system admin
edit <admin_name>
set password <password>
set accprofile <profile_name>
end
Configuring administrative logins
You can configure the RADIUS server to set the access profile. This process uses RADIUS vendor-specific attributes (VSAs) passed to the FortiSwitch unit for authorization. The RADIUS access profile override is mainly used for administrative logins.
Using the GUI:
- Go to System > Admin > Administrators.
- Select Add Administrator.
- Select Remote.
- In the Administrator field, enter a name for the RADIUS system administrator.
- Select the user group.
- Select Wildcard.
- Select Accprofile Override.
- Select Add.
Using the CLI:
The following code creates a RADIUS-system admin group with accprofile-override enabled:
config system admin
edit "RADIUS_Admins"
set remote-auth enable
set accprofile no_access
set wildcard enable
set remote-group "RADIUS_Admins"
set accprofile-override enable
next
Ensure that the RADIUS server is configured to send the appropriate VSA.
To send an appropriate group membership and access profile, set VSA 1 and VSA 6, as in the following code:
VENDOR fortinet 12356
ATTRIBUTE Fortinet-Group-Name 1 <admin profile>
ATTRIBUTE Fortinet-Access-Profile 6 <access profile>
The value of VSA 1 must match the remote group, and VSA 6 must match a valid access profile.