Configuring system settings : Configuring administrator accounts and access profiles : About administrator account permissions and domains : About the “remote_wildcard” account
About the “remote_wildcard” account
In previous FortiMail releases (older than v5.1), when you add remote RADIUS or LDAP accounts to FortiMail for account authentication purpose, you must add them one by one on FortiMail. Starting from FortiMail v5.1, you can use the wildcard to add RADIUS accounts all at once. Starting from v5.2, you can also use the wildcard for LDAP accounts.
To achieve this, you can enable the preconfigured “remote_wildcard” account and specify which RADIUS or LDAP profile to use. Then every account on the RADIUS or LDAP server will be able to log on to FortiMail.
To add all accounts on a RADIUS or LDAP server to FortiMail
1. Go to System > Administrator > Administrator.
2. Double click the built-in “remote_wildcard” account.
3. Configure the following and click OK.
GUI item
Description
Enable
Select it to enable the wildcard account.
Administrator
The default name is remote_wildcard and it is not editable.
Domain
Select System for the entire FortiMail unit or the name of a protected domain, such as example.com, to which this administrator account will be assigned.
For more information on protected domain assignments, see “About administrator account permissions and domains”.
Note: If Domain is a protected domain, the administrator cannot use the CLI, or the basic mode of the web UI.
Note: If you enable domain override in the RADIUS profile, this setting will be overwritten by the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing protected domain. For details, see “Configuring authentication profiles”.
Access profile
Select the name of an access profile that determines which functional areas the administrator account may view or affect.
Click New to create a new profile or Edit to modify the selected profile. For details, see “Configuring access profiles”.
Note: If you enable remote access override in the RADIUS profile, this access profile will be overwritten by the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing access profile. For details, see “Configuring authentication profiles”.
Authentication type
Select RADIUS or LDAP. And then select the RADIUS or LDAP profile.
For details, see “Configuring authentication profiles”.
Trusted hosts
Enter an IPv4 or IPv6 address or subnet from which this administrator can log in. You can add up to 10 trusted hosts.
If you want the administrator to access the FortiMail unit from any IP address, use 0.0.0.0/0.0.0.0.
Enter the IP address and netmask in dotted decimal format. For example, you might permit the administrator to log in to the FortiMail unit from your private network by typing 192.168.1.0/255.255.255.0.
Note: For additional security, restrict all trusted host entries to administrative hosts on your trusted private network.
Note: For information on restricting administrative access protocols that can be used by these hosts, see “Editing network interfaces”.
Language
Select this administrator account’s preference for the display language of the web UI.
Theme
Select this administrator account’s preference for the display theme or click Use Current to choose the theme currently in effect.
The administrator may switch the theme at any time during a session by clicking Next Theme.