Chapter 2 – Getting Started

Add the LDAP server to a user group

Next, create a user group that will include the LDAP server that was created above.

 

 

To create a user group – GUI

1. Go to User & Device > User Groups and select Create New.

2. Enter a Name for the group.

3. In the section labeled Remote authentication servers, select Add.

4. Select the Remote Server from the drop-down list.

5. Select OK.

 

 

To create a user group – CLI

config user group edit <group_name>

config match edit 1

set server-name <LDAP_server>

set group-name <group_name>

end end

 

Configure the administrator account

Now you can create a new administrator, where rather than entering a password, you will use the new user group and the wild card option for authentication.

 

To create an administrator – GUI

1. Go to System > Administrators and select Create New.

2. In the Administrator field, enter the name for the administrator.

3. For Type, select Match a user on a remote server group.

4. Select the User Group created above from the drop-down list.

5. Select Wildcard.

6. The Wildcard option allows for LDAP users to connect as this administrator.

7. Select an Admin Profile.

8. Select OK.

 

To create an administrator – CLI

config system admin

edit <admin_name>

set remote-auth enable

set accprofile super_admin set wild card enable

set remote-group ldap end

 

Other methods of authentication

Admin accounts can use a variety of methods for authentication, including RADIUS, TACACS+, and PKI.

 

RADIUS authentication for administrators

If you want to use a RADIUS server to authenticate administrators, you must:

  • configure the FortiGate to access the RADIUS server
  • create the RADIUS user group
  • configure an administrator to authenticate with a RADIUS server.

 

TACACS+ authentication for administrators

If you want to use a TACACS+ server to authenticate administrators, you must:

  • configure the FortiGate to access the TACACS+ server
  • create a TACACS+ user group
  • configure an administrator to authenticate with a TACACS+ server.

PKI certificate authentication for administrators

To use PKI authentication for an administrator, you must:

  • configure a PKI user
  • create a PKI user group
  • configure an administrator to authenticate with a PKI certificate.

 

Monitoring administrators

You can view the administrators logged in using the System Information widget on the Dashboard. On the widget is the Current Administrator row that shows the administrator logged in and the total logged in. Selecting Details displays the administrators), where they are logging in from and how (CLI, GUI) and when they logged in.

You are also able to monitor the activities the administrators perform on the FortiGate using the logging of events. Event logs include a number of options to track configuration changes.

To set logging – GUI

1. Go to Log & Report > Log Settings.

2. Under Event Logging, ensure System activity event is selected.

3. Select Apply.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.