Description
This article describes how to restrict local admin authentication when remote authentication server is running.
Solution
# config system global
set admin-restrict-local {enable | disable} <----- Default is set to disable.
end
Behavior prior to FortiOS v7.2.0 :
If enabled, as long as any remote server is available on FortiGate (TACACS, LDAP, or RADIUS) is up and running, local admin authentication will be blocked. Local admins will be allowed access only if no remote server is detected.
Behavior from FortiOS v7.2.0:
If enabled, FortiGate now only checks if all remote authentication servers applied in 'system admin' are down, instead of all remote servers configured on the FortiGate, before allowing local administrators to log in.
NOTE.
This setting applies to FortiGate GUI/CLI (ssh/telnet) access only. In both cases, console access to FortiGate would still be available using local administrators even if the remote authentication servers are up.
