Description
This article describes 'Match all users on remote server' administrator settings on FortiManager and FortiAnalyzer.
Solution
1) Given local users a.admin, b.admin and c.admin with RADUIS enabled on FortiAuthenticator.
This article describes 'Match all users on remote server' administrator settings on FortiManager and FortiAnalyzer.
Solution
1) Given local users a.admin, b.admin and c.admin with RADUIS enabled on FortiAuthenticator.
2) On FortiAnalyzer, 'FAC' remote authentication server is created and a new administrator 'FAC' is created with 'Match all users on remote server' enable.
3) Noticed that 'a.admin' and 'b.admin' will be able to login to FortiAnalyzer and get assigned to 'FAC' admin template.
'Match all users on remote server' is selected.
FAZVM64 # diagnose system admin-session list4) If a new administrator is created, 'a.admin' with Standard_User profile and specify access to 'a_adom' only.
*** entry 0 ***
session_id: 35411 (seq: 0)
username: a.admin
admin template: FAC
from: GUI(192.168.244.169) (type 0)
profile: Super_User (type 3)
adom: root
session length: 170 (seconds)
*** entry 1 ***
session_id: 10077 (seq: 0)
username: b.admin
admin template: FAC
from: GUI(192.168.244.169) (type 1)
profile: Super_User (type 3)
adom: root
session length: 19 (seconds)
idle: 5 (seconds)
'Match all users on remote server' is selected.
5) When login with 'a.admin', the admin profile will still be 'Super_User' and it can access to all ADOMs.
*** entry 1 ***6) Once we uncheck 'Match all users on remote server' for 'a.admin'.
session_id: 541 (seq: 0)
username: a.admin
admin template: FAC
from: GUI(192.168.244.169) (type 1)
profile: Super_User (type 3)
adom: root
session length: 152 (seconds)
idle: 39 (seconds)
'a.admin' will now assigned to 'a.admin' admin template and only able to access to 'a_adom'.
*** entry 1 ***7) 'b.admin' and 'c.admin' can still login and get assigned with 'Super_User' profile.
session_id: 17948 (seq: 0)
username: a.admin
admin template: a.admin
from: GUI(192.168.244.169) (type 1)
profile: Standard_User (type 2)
adom: a_adom
session length: 86 (seconds)
idle: 62 (seconds)
*** entry 2 ***8) Now, create a new administrator 'FAC_restricted' with admin profile 'Restricted_User' and specify access to 'root' ADOM only.
session_id: 29427 (seq: 0)
username: b.admin
admin template: FAC
from: GUI(192.168.244.169) (type 1)
profile: Super_User (type 3)
adom: root
session length: 59 (seconds)
idle: 37 (seconds)
*** entry 3 ***
session_id: 47111 (seq: 0)
username: c.admin
admin template: FAC
from: GUI(192.168.244.169) (type 1)
profile: Super_User (type 3)
adom: root
session length: 15 (seconds)
idle: 6 (seconds)
9) Notice that 'b.admin' and 'c.admin' will still be assigned to 'FAC' admin template.
*** entry 1 ***10) 'FAC_restricted' is moved above 'FAC'.
session_id: 13225 (seq: 0)
username: b.admin
admin template: FAC
from: GUI(192.168.244.169) (type 1)
profile: Super_User (type 3)
adom: root
session length: 48 (seconds)
idle: 36 (seconds)
*** entry 2 ***
session_id: 47175 (seq: 0)
username: c.admin
admin template: FAC
from: GUI(192.168.244.169) (type 1)
profile: Super_User (type 3)
adom: root
session length: 34 (seconds)
idle: 20 (seconds)
11) Notice that 'b.admin' and 'c.admin' will now be assigned to 'FAC_restricted' admin template and can only access to 'root' adom.
'a.admin' will still be assigned to 'a.admin' template.
Then, it will match all users specified in the Distinguished Name filed in the remote server from top to bottom (if 'Match all users on remote server' is selected).
*** entry 1 ***12) Conclusion, FortiManager / FortiAnalyzer will first match the exact same username specified on the LDAP server (if 'Match all users on remote server' is not selected).
session_id: 755 (seq: 0)
username: a.admin
admin template: a.admin
from: GUI(192.168.244.169) (type 1)
profile: Standard_User (type 2)
adom: a_adom
session length: 77 (seconds)
idle: 63 (seconds)
*** entry 2 ***
session_id: 1727 (seq: 0)
username: b.admin
admin template: FAC_restricted
from: GUI(192.168.244.169) (type 1)
profile: Restricted_User (type 1)
adom: root
session length: 63 (seconds)
idle: 4 (seconds)
*** entry 3 ***
session_id: 16953 (seq: 0)
username: c.admin
admin template: FAC_restricted
from: GUI(192.168.244.169) (type 1)
profile: Restricted_User (type 1)
adom: root
session length: 47 (seconds)
idle: 4 (seconds)
Then, it will match all users specified in the Distinguished Name filed in the remote server from top to bottom (if 'Match all users on remote server' is selected).
