Description
This article describes a new v7.4.2 feature: the admin password-only change profile.
Scope
FortiManager, FortiAnalyzer from v7.4.2 and upward.
Solution
With the latest release under FortiManager and FortiAnalyzer is introducing a new admin profile that can only list admin users and change the passwords under the CLI or through API calls.
When the user is set up with 'Password_Change_User' profile, all other options are removed except read/change password and rpc which are the JSON API calls.
GUI is not accessible by the user with this profile assigned only CLI and JSON API calls are available.
To change the password under CLI:
config system admin user
edit other_admin
set password <pass>
end
Example:
Note:
- Changing other options under the admin users is not allowed.
- Creating a new admin user is not allowed.
Troubleshooting:
Connect with a local 'admin' account under CLI and start the following debugs.
After that try to connect with the password change user:
diagnose debug reset
diagnose debug application auth 255
diagnose debug timestamp enable
diagnose debug enable
diagnose debug disable
diagnose debug reset
After reviewing the connected user/s disable the debugs.
Note:
Command parameters are case-sensitive. Quotes are always used around the parameters like in this example 'my_Account'.
Related Article:
Technical Tip: IPS profile enhancement under FortiManager in v7.4.2
