Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
anoushiravan
Staff
Staff

Created on ‎03-29-2024 09:02 AM Edited on ‎03-29-2024 09:03 AM By Moderator

Article Id 307369

Technical Tip: Wildcard admin profile does not work on FortiGate

Description

This article describes that an admin account is generally used to manage the FortiGate using GUL, and SSH access.

When the admins are part of a group on any remote server like LDAP, radius, etc, it is possible to use a wildcard option in the admin profile to avoid
creating multiple admin accounts on FortiGate, wildcard option is used to match one local admin account with the remote group.
Scope FortiGate.
Solution

On FortiGate as per the current design, only one wildcard admin account can be used to match the admin and other configured wildcard admin profiles will be ignored, therefore for different wildcard admin profiles, the customer needs to submit an NFR, otherwise an individual admin profile with the exact name of the remote use should be created on FortiGate, in this case, FortiGate will check the individual admin profile before a wildcard admin profile.

 

 

The below example is the config and debugging of the wildcard admin profile, and the requirement is the admin should be able to access only VDOM names 'sales':

In the below scenario, the admin is part of both groups on both remote tacas+ servers but since the admin can access only one VDOM named 'Sales'.

Therefore, the expectation is a group 'server.tacacs.admin' should be matched while it is possible to see the group 'fac.tacacs.group' under the upper wildcard admin profile 'fac.tacacs.admin' is examined:

 

config system admin
    edit "fac.tacacs.admin"
        set remote-auth enable
        set accprofile "super_admin"
        set vdom "root" <---
        set wildcard enable <---
        set remote-group "fac.tacacs.group"
    next
    edit "server.tacacs.admin"
        set remote-auth enable
        set accprofile "super_admin"
        set vdom "sales" <---
        set wildcard enable <---
        set remote-group "server.tacacs.group"
    next
end

 

config user tacacs+
    edit "fac.tacas+"
        set server "10.125.5.135"
        set key ENC EVvOGEr40yyHIZv71sRZmgcssI4wvb91QnkmbsVu6JBSoLaAbfNoa3FAXzKOUDtsx/F4nNfxAXr0qW+NSPkPJ2eGADJWORzdSfuIgXfnKiL3RP++rF8NzUedl8wf774D0jzcWnZPa1wJQwgioPvrNR2jUcmrVwQzr3Fe3XdlkH8IO8di4xOV/5lzXBoFZ0AHnfoNbw==
    next
    edit "server.tacas+"
        set server "10.160.5.136"
        set key ENC EVvOGEr40yyHIZv71sRZmgcssI4wvb91QnkmbsVu6JBSoLaAbfNoa3FAXzKOUDtsx/F4nNfxAXr0qW+NSPkPJ2eGADJWORzdSfuIgXfnKiL3RP++rF8NzUedl8wf774D0jzcWnZPa1wJQwgioPvrNR2jUcmrVwQzr3Fe3XdlkH8IO8di4xOV/5lzXBoFZ0AHnfoNbw==
    next
end

 

config user group
    edit "fac.tacacs.group"
        set member "fac.tacas+"
    next
    edit "server.tacacs.group"
        set member "server.tacas+"
    next
end

 

As shown in debugging logs, only the remote group 'fac.tacacs.group' under the wildcard admin profile 'fac.tacacs.admin' is checked by FortiGate to match the user 'soniya'.

As a result, the user will be able to access 'root' VDOM, and the group 'server.tacacs.group' will not be matched since only one wildcard admin profile can be used on FortiGate based on the FortiOS design:

 

Spoke1 # di de dis
Spoke1 # di de reset
Spoke1 # di de cons time enable
Spoke1 # di de app fnbamd -1
Debug messages will be on for 30 minutes.
Spoke1 # di de app httpsd -1
Debug messages will be on for 30 minutes.
Spoke1 # di de enable


Spoke1 # 2024-03-06 12:26:05 [httpsd 10613 - 1709724365 info] fweb_debug_init[417] -- New POST request for "/logincheck" from "172.26.61.4:52881"
2024-03-06 12:26:05 [httpsd 10613 - 1709724365 info] fweb_debug_init[419] -- User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0"
2024-03-06 12:26:05 [httpsd 10613 - 1709724365 info] fweb_debug_init[421] -- Handler "logincheck-handler" assigned to request
2024-03-06 12:26:05 [httpsd 10613 - 1709724365 info] logincheck_handler[421] -- entering vdom for login_attempt (vdom='root')
2024-03-06 12:26:05 [1916] handle_req-Rcvd auth req 471980690 for soniya in fac.tacacs.group opt=00014001 prot=11
2024-03-06 12:26:05 [475] __compose_group_list_from_req-Group 'fac.tacacs.group', type 1
2024-03-06 12:26:05 [616] fnbamd_pop3_start-soniya
2024-03-06 12:26:05 [2255] fnbamd_user_ldap_create-LDAP servers are created, vfid=0, total=1
2024-03-06 12:26:05 [378] radius_start-Didn't find radius servers (0)
2024-03-06 12:26:05 [1068] __tac_plus_try_next_server-Try fac.tacas+:10.125.5.135
2024-03-06 12:26:05 [358] __tac_plus_dns_cb-Resolved fac.tacas+:10.125.5.135 to 10.125.5.135, cur stack size:1
2024-03-06 12:26:05 [278] sock_connect-connecting fac.tacas+:10.125.5.135: 10.125.5.135
2024-03-06 12:26:05 [491] ldap_start-Didn't find ldap servers
2024-03-06 12:26:05 [642] create_auth_session-Total 1 server(s) to try
2024-03-06 12:26:05 [390] is_sock_connected-tcp connected
2024-03-06 12:26:05 [497] build_authen_start-building authen start packet: authen_type=2(pap)
2024-03-06 12:26:05 [763] tac_plus_result-Authen sending request
2024-03-06 12:26:05 [405] pak_send-Encrypting pkt
2024-03-06 12:26:05 [1210] fsm_tac_plus_update_result-Continue pending for req 471980690
2024-03-06 12:26:05 [773] tac_plus_result-Authen receiving reply
2024-03-06 12:26:05 [462] pak_recv-read all header, data len 6
2024-03-06 12:26:05 [1210] fsm_tac_plus_update_result-Continue pending for req 471980690
2024-03-06 12:26:05 [773] tac_plus_result-Authen receiving reply
2024-03-06 12:26:05 [557] parse_authen_reply-authen result=1(pass)
2024-03-06 12:26:05 [1658] fnbam_user_auth_group_match-req id: 471980690, server: fac.tacas+, local auth: 0, dn match: 0
2024-03-06 12:26:05 [286] find_matched_usr_grps-Passed group matching
2024-03-06 12:26:05 [216] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 471980690, len=2092
2024-03-06 12:26:05 [798] destroy_auth_session-delete session 471980690
2024-03-06 12:26:05 [1077] tac_plus_destroy-fac.tacas+
2024-03-06 12:26:05 [httpsd 10613 - 1709724365 info] logincheck_handler[523] -- login attempt OK, VDOM updated to 'root'
2024-03-06 12:26:05 [httpsd 10613 - 1709724365 info] logincheck_handler[529] -- login_attempt (method=5, vdom='root', name='soniya',admin_name='fac.tacacs.admin', auth_svr='fac.tacas+')  <
2024-03-06 12:26:05 [httpsd 10613 - 1709724365 info] output_response[58] -- sent response (status='1', buf='document.location="/prompt?viewOnly&redir=%2F";
')
2024-03-06 12:26:05 [httpsd 10613 - 1709724365 info] fweb_debug_final[306] -- Completed POST request for "/logincheck" (HTTP 200)
2024-03-06 12:26:06 [httpsd 10613 - 1709724366 info] fweb_debug_init[417] -- New GET request for "/api/v2/monitor/web-ui/node-auth" from "172.26.61.4:52881"
2024-03-06 12:26:06 [httpsd 10613 - 1709724366 info] fweb_debug_init[419] -- User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0"
2024-03-06 12:26:06 [httpsd 10613 - 1709724366 info] fweb_debug_init[421] -- Handler "api_monitor_v2-handler" assigned to request
136
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.