Administrative Domain Choose the ADOMs this administrator will be able to access, or select All
ADOMs. Select Specify and then select the add icon to add Administrative Domains. Select the remove icon to remove an administrative domain from this list.
This field is available only if ADOMs are enabled. When the Admin Profile is a restricted administrator profile, you can only select one administrative domain. Best practice: Restrict administrator access only to the specific ADOMs that they are responsible for.
Policy Package Access Choose the policy packages this administrator will have access to, or select All Package. Select Specify and then select the Add icon to add policy packages.
Select the remove icon to remove a policy package from this list.This field is not available when the Admin Profile is a restricted administrator profile.
Best practice: Restrict administrator access only to the specific policy packages that they are responsible for.
Trusted Host Optionally, type the trusted host IPv4 or IPv6 address and netmask from which the administrator can log in to the FortiManager unit. Select the Add icon to add trusted hosts. You can specify up to ten trusted hosts.
Select the delete icon to remove a policy package from this list.Setting trusted hosts for all of your administrators can enhance the security of your system. For more information, see Using trusted hosts.
Best practice: Restrict administrator access by trusted hosts to help prevent unwanted access.
User Information (optional)
Contact Email Type a contact email address for the new administrator. This email address is also used for workflow session approval email notifications.
Contact Phone Type a contact phone number for the new administrator.
3. Select OK to create the new LDAP administrator account.
TACACS+ authentication for administrators
Terminal Access Controller Access-Control System (TACACS+) is a remote authentication protocol that provides access control for routers, network access servers, and other network computing devices via one or more centralized servers.
If you have configured TACACS+ support and an administrator is required to authenticate using a TACACS+ server, the FortiManager unit contacts the TACACS+ server for authentication. If the TACACS+ server cannot authenticate the administrator, the connection is refused by the FortiManager unit.
If you want to use an TACACS+ server to authenticate administrators, you must configure the authentication before you create the administrator accounts. To do this you need to:
configure the FortiManager unit to access the TACACS+ server create a TACACS+ user group configure an administrator to authenticate with a TACACS+ server.
For information on configuring a TACACS+ server for remote administrator authentication, see Remote authentication server.
To create a new TACACS+ administrator account:
1. Go to System Settings > Admin > Administrator and select Create New in the toolbar. The New Administrator dialog box opens.
2. Configure the following settings:
User Name Type the name that this administrator uses to log in.
Description Optionally, type a description of this administrator’s role, location or reason for their account. This field adds an easy reference for the administrator account.
Character limit: 127
Type Select TACACS+ from the drop-down menu.
TACACS+ Server Select the TACACS+ server from the drop-down menu.
Wildcard Select to enable wildcard.
New Password Type the password. This field is hidden when Wildcard is enabled.
Confirm Password Type the password again to confirm it. The passwords must match.This field is hidden when Wildcard is enabled.
Admin Profile Select a profile from the drop-down menu. The profile selected determines the administrator’s permission to the FortiManager unit’s features. To create a new profile, see Configuring administrator profiles.
Administrative Domain Choose the ADOMs this administrator will be able to access, or select All
ADOMs. Select Specify and then select the add icon to add Administrative Domains. Select the remove icon to remove an administrative domain from this list.
This field is available only if ADOMs are enabled. When the Admin Profile is a restricted administrator profile, you can only select one administrative domain. Best practice: Restrict administrator access only to the specific ADOMs that they are responsible for.
Policy Package Access Choose the policy packages this administrator will have access to, or select All Package. Select Specify and then select the Add icon to add policy packages.
Select the remove icon to remove a policy package from this list.
This field is not available when the Admin Profile is a restricted administrator profile.
Best practice: Restrict administrator access only to the specific policy packages that they are responsible for.
Trusted Host Optionally, type the trusted host IPv4 or IPv6 address and netmask from which the administrator can log in to the FortiManager unit. Select the Add icon to add trusted hosts. You can specify up to ten trusted hosts. Select the delete icon to remove a policy package from this list.
Setting trusted hosts for all of your administrators can enhance the security of your system. For more information, see Using trusted hosts.
Best practice: Restrict administrator access by trusted hosts to help prevent unwanted access.
User Information (optional)
Contact Email Type a contact email address for the new administrator.
This email address is also used for workflow session approval email notifications.
Contact Phone Type a contact phone number for the new administrator.
3. Select OK to create the new TACACS+ administrator account.
PKI certificate authentication for administrators