Configuring administrator profiles
You can create custom profiles, and edit existing profiles, including the predefined profiles, as required. Only administrators with full system privileges can edit the administrator profiles.
To create a new profile:
- Go to System Settings > Admin > Profile and select Create New.
The Create Profile dialog box opens.
Figure 57:Create new administrator profile
- Configure the following settings:
Profile Name | Enter a name for this profile. |
Description | Enter a description for this profile. While not a requirement, a description can help to know what the profiles is for or the levels it is set to. |
Type | This field is cannot be changed. The default type is System Admin. |
Other Settings | Select None, Read Only, or Read-Write access for the categories as required. |
- Select OK to save the new profile.
To edit a profile:
- From the profile list, right-click on a profile and select Edit, or double-click on a profile.
The Edit Profile dialog box opens.
- Edit the following settings as required:
Profile Name Enter a name for this profile.
Description Enter a description for this profile. While not a requirement, a description can help to know what the profiles is for or the levels it is set to.
Type This field is cannot be changed. The default type is System Admin.
Other Settings Select None, Read Only, or Read-Write access for the categories as required.
To delete a profile:
- From the profile list, select the check box of the custom profile or profiles that you need to delete, then select Delete in the toolbar, or right-click on a profile and select Delete.
You can only delete custom profiles that are not applied to any administrators.
- Select OK in the confirmation dialog box to delete the profile.
Remote authentication server
The FortiAnalyzer system supports remote authentication of administrators using Remote
Authentication Dial-in User (RADIUS), Lightweight Directory Access Protocol (LDAP), and Terminal Access Controller Access-Control System (TACACS+) servers. To use this feature, you must configure the appropriate server entries in the FortiAnalyzer unit for each authentication server in your network. LDAP servers can be linked to all ADOMs or to specific ADOMs.
Go to System Settings > Admin > Remote Auth Server to view the server list.
Figure 58:Server list
The following information is displayed:
Name | The server name. Select the server name to edit the settings. |
Type | The type of server, either LDAP, RADIUS, or TACACS+. |
ADOM | The ADOM(s) that are associated with this server.
This field is only applicable to LDAP servers. |
Details | The IP address or DNS resolvable domain name of the server. |
The following options are available:
Create New | Add a new LDAP, RADIUS, or TACACS+ server entry. See “To add a LDAP server:” on page 83, “To add a RADIUS server configuration:” on page 84, and “To add a TACACS+ server:” on page 85. |
Delete | Select the check box next to a server or servers then select Delete. You cannot delete a server entry if there are administrator accounts using it.
Delete is also available in the right-click menu. |
Edit | Right-click on a server and select Edit, or double-click on a server, to open the Edit Server page. |
To edit a remote authentication server:
- From the remote authentication server list, right-click on a server and select Edit, or double-click on a server, to open the Edit Server
The appropriate edit window opens, depending on the server type selected.
- Change the settings as required and select OK to apply your changes.
To delete a server:
- From the remote authentication server list, select the check box beside the server or servers that you need to delete and then select Delete from the toolbar, or right-click on a server and select Delete.
- Select OK in the confirmation dialog box to delete the server entry.
LDAP server
LDAP is an Internet protocol used to maintain authentication data that may include departments, people, groups of people, passwords, email addresses, and printers. LDAP consists of a data-representation scheme, a set of defined operations, and a request/response network.
If you have configured LDAP support and require a user to authenticate using an LDAP server, the FortiAnalyzer unit contacts the LDAP server for authentication. To authenticate with the FortiAnalyzer unit, the user enters a user name and password. The FortiAnalyzer unit sends this user name and password to the LDAP server. If the LDAP server can authenticate the user, the FortiAnalyzer unit successfully authenticates the user. If the LDAP server cannot authenticate the user, the FortiAnalyzer unit refuses the connection.
To add a LDAP server:
- Go to System Settings > Admin > Remote Auth Server.
- Select the Create New toolbar and select LDAP in the drop-down list.
The New LDAP Server dialog box opens.
Figure 59:New LDAP server
- Configure the following information:
Name | Enter a name to identify the LDAP server. |
Server Name/IP | Enter the IP address or fully qualified domain name of the LDAP server. |
Port | Enter the port for LDAP traffic. The default port is 389. |
Common Name
Identifier |
The common name identifier for the LDAP server. Most LDAP servers use cn. However, some servers use other common name identifiers such as uid. |
Distinguished Name | The distinguished name used to look up entries on the LDAP servers use. The distinguished name reflects the hierarchy of LDAP database object classes above the common name identifier.
Select the query icon, , to query the distinguished name. |
Bind Type | Select the type of binding for LDAP authentication from the drop-down list. One of: Simple, Anonymous, or Regular. |
User DN | Enter the user distinguished name. This option is available when the Bind Type is set to Regular. |
Password | Enter the user password. This option is available when the Bind Type is set to Regular. |
Secure Connection | Select to use a secure LDAP server connection for authentication. |
Protocol | Select either LDAPS or STARTTLS in the protocol field. |
Certificate | Select the certificate in the drop-down list. |
Administrative
Domain |
Select either All ADOMs or Specify to select which ADOMs to link to the LDAP server. Select Specify and then select the Add icon, , to add Administrative Domains. Select the remove icon, , to remove an Administrative Domain. |
- Select OK to save the new LDAP server entry.
RADIUS server
RADIUS is a user authentication and network-usage accounting system. When users connect to a server they enter a user name and password. This information is passed to a RADIUS server, which authenticates the user and authorizes access to the network.
You can create or edit RADIUS server entries in the RADIUS server list to support authentication of administrators. When an administrator account’s type is set to RADIUS, the FortiAnalyzer unit uses the RADIUS server to verify the administrator password at logon. The password is not stored on the FortiAnalyzer unit.
To add a RADIUS server configuration:
- Go to System Settings > Admin > Remote Auth Server.
- Select the Create New in the toolbar and select RADIUS in the drop-down list.
The New RADIUS Server dialog box appears.
Figure 60:New RADIUS server
- Configure the following settings:
Name | Enter a name to identify the RADIUS server. |
Server Name/IP | Enter the IP address or fully qualified domain name of the RADIUS server. |
Server Secret | Enter the RADIUS server secret. |
Secondary
Server Name/IP |
Enter the IP address or fully qualified domain name of the secondary RADIUS server. |
Secondary
Server Secret |
Enter the secondary RADIUS server secret. |
Port | Enter the port for RADIUS traffic. The default port is 1812. Some RADIUS servers use port 1645. |
Auth-Type | Enter the authentication type the RADIUS server requires. Select from ANY, PAP, CHAP, or MSv2 (MSCHAPv2). The default setting of ANY has the FortiAnalyzer unit try all the authentication types. |
- Select OK to save the new RADIUS server configuration.
TACACS+ server
TACACS+ is a remote authentication protocol that provides access control for routers, network access servers, and other networked computing devices via one or more centralized servers. TACACS allows a client to accept a user name and password and send a query to a TACACS authentication server. The server host determines whether to accept or deny the request and sends a response back that allows or denies network access to the user. The default TCP port for a TACACS server is 49.
For more information about TACACS+ servers, see the FortiGate documentation.
To add a TACACS+ server:
- Go to System Settings > Admin > Remote Auth Server.
- Select Create New in the toolbar and select TACACS+ in the drop-down list.
The New TACACS+ Server dialog box appears.
Figure 61:New TACACS+ server
- Configure the following information:
Name | Enter a name to identify the TACACS+ server. |
Server Name/IP | Enter the IP address or fully qualified domain name of the TACACS+ server. |
Port | Enter the port for TACACS+ traffic. The default port is 49. |
Server Key | Enter the key to access the TACACS+ server. The server key can be a maximum of 16 characters in length. |
Auth-Type | Enter the authentication type the TACACS+ server requires. Select one of: auto, ASCII, PAP, CHAP, or MSCHAP. The default value is auto. |
- Select OK to save the new TACACS+ server entry.