Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Micky182
New Contributor

Help admin without super_admin permission

Hi, 

I've a very huge problem about admin rights. I've a new costumer with a Fortigate firewall and i've reset the fortigate admin password(because they didn't had);.. but i still haven't the full super_admin permission.

 

In fact the account can't see Administrators profile and i figured out that the admin account is an prof_admin.

Is it possible to change an admin account from prof_admin to super admin?

 

In the past i've done with a backup config but i had the backup file. Now i've no config backups files and no way to backup or restore fortigate config with the prof_admin account. I'm also wondering if there is another hidden account as super_admin?

 

I'm very stuck in this bad situation and i can't do a factory reset.

1 Solution
Toshi_Esumi
Esteemed Contributor III

You need to be a "suer_admin" to make a user as a super_admin. If you don't have, or know the password for, any other super_admin users on the box, you need to go through the password recovering process you can find somewhere in this forum or on the internet. The "maintainer" user for the process must be a super_user so you can change anything you want to change.

View solution in original post

5 REPLIES 5
Toshi_Esumi
Esteemed Contributor III

You need to be a "suer_admin" to make a user as a super_admin. If you don't have, or know the password for, any other super_admin users on the box, you need to go through the password recovering process you can find somewhere in this forum or on the internet. The "maintainer" user for the process must be a super_user so you can change anything you want to change.

Micky182

Hi,

 

I've tried but from maintainer account o can't change the accprofile from pro_admin to super_admin because i get an the error -61. You think is possible from maintainer change the profile of other users?

 

Thank you very much,

Michele.

 

Dave_Hall
Honored Contributor

Try creating a temp admin account with super_admin rights. Then try logging into the fgt normally with this temp admin account.

 

e.g.

 

config system admin edit "temp_admin" set accprofile "super_admin" set password <password> next end

Alternately, see if you can perform a backup of the config to a USB stick (san password) and see if you can read it later (in a text editor) you should be able to edit/change/add the accprofile line to your admin account, save it as a new config and try uploading that via USB or via the GUI (following a factory reset).  A word of caution about this approach as you need to be absolutely sure you have a couple of good backups of the config running on the fgt. 

 

 

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
ede_pfau
Esteemed Contributor III

As stated before, only a super_admin can create a super_admin account. So, no dice.

What I'd try is to login as 'maintainer', export the config, change the account setting, and restore. It might work but I haven't tried before. Logging in as 'maintainer' is a tedious job, also.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
samuelheinrich
New Contributor

I know this is a very old thread but I run into the same issue, that for some reason one of our Fortigates had the "admin" access-profile set to "prof_admin" and there was no other "super_admin" configured. 

 

since the fortigate was placed at the remote location, password reset was no options. 

luckily I found a much better solution reset the accessprofile for the admin without the need of a password reset or reload!  

 

all you need is a radius server, which is able to return  the VSA "Fortinet-Access-Profile"

you can find a full list here:  Fortinet VSA List 

 

what you need todo then is:

- configure radius for authentication

- create or re-use an existing admin user for remote auth

- configure accprofile-override enable

- auth against the radius server

- return Fortinet-Access-Profile=super_admin

 

you should now have super_admin privs, which allow you to assign "super_admin" to any admin account

 

example config for remote auth:

 

config system admin
edit "RADIUS_ADMIN"
set remote-auth enable
set accprofile "dummy"
set vdom "root"
set wildcard enable
set remote-group "xxxx"
set accprofile-override enable
end

 

 

 

 

 

Labels
Top Kudoed Authors