Once flagged as an administrator, a user account’s administrator privileges can be set to either full access or customized to select their administrator rights for different parts of FortiAuthenticator.
The subnets from which administrators are able to log in can be restricted by entering the IP addresses and netmasks of trusted management subnets.
There are log events for administrator configuration activities. Administrators can also be configured to authenticate to the local system using two-factor authentication.
An account marked as an administrator can be used for RADIUS authentication if Allow RADIUS Authentication is selected. See RADIUS service. These administrator accounts only support Password Authentication Protocol (PAP).
Administrator accounts can be synced from the primary standalone device to load-balancer in an HA load-balancing configuration when Sync in HA Load Balancing mode is enabled.
See Configuring a user as an administrator for more information.
Whenever an admin attempts to add, edit, or delete an admin account in FortiAuthenticator, a dialog is displayed requesting the password for the currently logged in administrator before settings can be saved.
Groups for administrators
Local and remote user accounts with administrator or sponsor roles can be entered into groups. This provides the following benefits:
- Group filtering of administrators.
- A single account for individuals needing both administrator and user roles.
- Inclusion of RADIUS attributes from groups in RADIUS Access-Accept responses.