| Description | This article describes how to manage to access FortiGate through FortiAuthenticator based on the admin account profile privileges created on FortiGate. |
| Scope | FortiGate. |
| Solution |
FortiGate steps: 1) Create a new admin profile (In this example, a read-only profile has been used).
Create the admin profile with the privileges needed.
Note: The name of this profile must be the exact name used in the FortiAuthenticator step2 (creating group – RADIUS attributes).
2) Create a RADIUS Server:
Verify this with Step 1 on FortiAuthenticator.
3) This step should be completed after step-3 on FortiAuthenticator. Create a group on FortiGate that matches the remote server. Note that it is necessary to specify the remote server group name, which is the same name as the Group created on FortiAuthenticator.
4) Create a new admin user with a wild card enabled to match the group created FortiAuthenticator, so any user that is added to the FortiAuthenticatorgroup will be able to access the FortiGate with the privilege associated with the RADIUS attribute:
FortiAuthenticator Steps: Assumption: LDAP server config already exists and remote users are imported to FortiAuthenticator.
1) Configure FortiGate client:
2) Configure user group (This is the basic step where RADIUS attributes are matched). The name of this group is the same used as a RADIUS attribute ‘Fortinet-Group-Name’. The ‘Fortinet-Access-Profile’ attribute must be exactly the same name as the admin profile created in the Step-1 FortiGate configuration. In this step, select users from LDAP who wanted to allow access to the FortiGate.
3) Configure RADIUS policies:
Related article: Technical Tip: Remote admin login with Radius selecting admin access account profile |
