System Settings FortiManager 5.2

RADIUS authentication for administrators
Remote Authentication and Dial-in User Service (RADIUS) servers provide authentication, authorization, and accounting functions. FortiManager units use the authentication and authorization functions of the RADIUS server. To use the RADIUS server for authentication, you must configure the server before configuring the FortiManager users or user groups that will need it.
If you have configured RADIUS support and a user is required to authenticate using a RADIUS server, the FortiManager unit sends the user’s credentials to the RADIUS server for authentication. If the RADIUS server can authenticate the user, the user is successfully authenticated with the FortiManager unit. If the RADIUS server cannot authenticate the user, the FortiManager unit refuses the connection.
If you want to use a RADIUS server to authenticate administrators, you must configure the authentication before you create the administrator accounts. To do this you need to:
configure the FortiManager unit to access the RADIUS server create the RADIUS user group configure an administrator to authenticate with a RADIUS server.
For information on configuring a RADIUS server for remote administrator authentication, see Remote authentication server.
To create a new RADIUS administrator account:
1. Go to System Settings > Admin > Administrator and select Create New in the toolbar. The New Administrator dialog box opens.
2. Configure the following settings:
User Name Type the name that this administrator uses to log in.
Description Optionally, type a description of this administrator’s role, location or reason for their account. This field adds an easy reference for the administrator account.
Character limit: 127
Type Select RADIUS from the drop-down menu.
RADIUS Server Select the RADIUS server from the drop-down menu.
Wildcard Select to enable wildcard.
New Password Type the password.
This field is hidden when Wildcard is enabled.
Confirm Password Type the password again to confirm it. The passwords must match. This field is hidden when Wildcard is enabled.
Admin Profile Select a profile from the drop-down menu. The profile selected determines the administrator’s permission to the FortiManager unit’s features. To create a new profile, see Configuring administrator profiles.
Administrative Domain Choose the ADOMs this administrator will be able to access, or select All
ADOMs. Select Specify and then select the add icon to add Administrative
Domains. Select the remove icon to remove an administrative domain from this list.This field is available only if ADOMs are enabled. When the Admin Profile is a restricted administrator profile, you can only select one administrative domain.
Best practice: Restrict administrator access only to the specific ADOMs that they are responsible for.
Policy Package Access Choose the policy packages this administrator will have access to, or select All Package. Select Specify and then select the Add icon to add policy packages.
Select the remove icon to remove a policy package from this list.
This field is not available when the Admin Profile is a restricted administrator profile.
Best practice: Restrict administrator access only to the specific policy packages that they are responsible for.
Trusted Host Optionally, type the trusted host IPv4 or IPv6 address and netmask from which the administrator can log in to the FortiManager unit. Select the Add icon to add trusted hosts. You can specify up to ten trusted hosts. Select the delete icon to remove a policy package from this list.
Setting trusted hosts for all of your administrators can enhance the security of your system. For more information, see Using trusted hosts.
Best practice: Restrict administrator access by trusted hosts to help prevent unwanted access.
User Information (optional)
Contact Email Type a contact email address for the new administrator. This email address is also used for workflow session approval email notifications.
Contact Phone Type a contact phone number for the new administrator.
3. Select OK to create the new RADIUS administrator account.
Configuring LDAP authentication for administrators
Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to maintain authentication data that may include departments, people, groups of people, passwords, email addresses, printers, etc.
If you have configured LDAP support and an administrator is required to authenticate using an LDAP server, the FortiManager unit contacts the LDAP server for authentication. If the LDAP server cannot authenticate the administrator, the FortiManager unit refuses the connection.
If you want to use an LDAP server to authenticate administrators in your VDOM, you must configure the authentication before you create the administrator accounts. To do this you need to:
configure an LDAP server create an LDAP user group configure an administrator to authenticate with an LDAP server.
For information on configuring an LDAP server for remote administrator authentication, see Remote authentication server.
To create a new LDAP administrator account:
1. Go to System Settings > Admin > Administrator and select Create New in the toolbar. The New Administrator dialog box opens.
2. Configure the following settings:
User Name Type the name that this administrator uses to log in.
Description Optionally, type a description of this administrator’s role, location or reason for their account. This field adds an easy reference for the administrator account.
Character limit: 127
Type Select LDAP from the drop-down menu.
LDAP Server Select the LDAP server from the drop-down menu.
Wildcard Select to enable wildcard.
New Password Type the password. This field is hidden when Wildcard is enabled.
Confirm Password Type the password again to confirm it. The passwords must match.This field is hidden when Wildcard is enabled.
Admin Profile Select a profile from the drop-down menu. The profile selected determines the administrator’s permission to the FortiManager unit’s features. To create a new profile, see Configuring administrator profiles.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.