Skip to main content
Maerre
Maerre
New Contributor
September 27, 2024
Question

Configure fortitoken on users inside a Radius server-group (without fortiauthenticator)

  • September 27, 2024
  • 2 replies
  • 4411 views

Hello,

 

i purchased a Fortitoken Cloud license and i've been asked to configure MFA for all the user belonging to a radius server group and connecting via remote access with the forticlient.

I haven't found any documentation about how to implement this configuration without using fortiauthenticator, is it possibile?

If configuring a local user i've the option to select the fortitoken cloud license, when configuring the radius server group i'm not prompted for this option, i haven't seen any command neither via CLI.

Do you have any idea?

 

thank you

Bye

2 replies

funkylicious
SuperUser
funkylicious
SuperUser
September 27, 2024

Hi,
As far as I know and read so far, you can do that to the users on a specific LDAP ( not RADIUS ) group, like here : https://docs.fortinet.com/document/fortigate/7.0.0/new-features/80565/synchronizing-ldap-active-directory-users-to-fortitoken-cloud-using-the-group-filter-7-0-6

 

For RADIUS, you can try and import the users as described here on the FGT, 

https://docs.fortinet.com/document/fortitoken-cloud/latest/admin-guide/163308/configure-local-radius-users-for-ftc-service

"jack of all trades, master of none"
    Maerre
    MaerreAuthor
    New Contributor
    September 30, 2024

    Hello,

    yeah, i saw it is possibile with ldap but not with radius.

    regarding your link, i'm looking for  a method to avoid creating or importing local user, i'd like to user the radius group already configured and link the fortitoken cloud...............but it seems not possibile.

    Maerre
    MaerreAuthor
    New Contributor
    October 4, 2024

    Anybody knows if implementing Fortiauthenticar could solve this problem?

    Debbie_FTNT
    Staff & Editor
    Debbie_FTNT
    Staff & Editor
    October 4, 2024

    Hey Maerre,

    you can sort-of achieve something similar with FortiAuthenticator.

    While funkylicious is correct that you cannot IMPORT users from a remote RADIUS into FortiAuthenticator, you can in fact create them (or import from a file). You would have to manually recreate group structures etc in FortiAuthenticator, or rely on the remote RADIUS to provide the appropriate RADIUS attributes in response.

    FortiAuthenticator should pass on the attributes it gets in the Access-Accept back to FortiGate or whatever other RADIUS client is trying to authenticate the user.

    image.png

    image.png

    You can then enable FortiTokenCloud on the remote user, same as if the user was imported from LDAP.
    The RADIUS policy will need to be configured with the remote RADIUS server as realm.

     

    EDIT:
    I did not see your previous comment about not wanting to create users manually, but import them automatically, apologies.

    There is no provision in RADIUS protocol for more than just straight-out user authentication, no queries or structures like with LDAP, so user import via RADIUS isn't really a thing.

    IF your remote RADIUS server is capable of SCIM, you could use that to sync over the users as well. Starting in FortiAuthenticator 6.6.1, you can create a remote user sync rule of type SCIM, which allows FortiAuthenticator to receive user information via SCIM and create users based on that. The remote user sync rule would have to be linked to a remote RADIUS server object:

    image.png

     

    Any user received via this SCIM config would lead to a Remote RADIUS user created in FortiAuthenticator, with FortiTokenCloud enabled, and linked to the remote server as defined in the sync rule (if the user tries to authenticate, credentials should be checked against that particular remote RADIUS server).

      Maerre
      MaerreAuthor
      New Contributor
      October 4, 2024

      Hi @Debbie_FTNT,

       

      what a helpful answer!

      Yes, i'd like to do it automatically, so once the user is created on my server it is then replicated automatically on the FAC and assigned a fortitoken cloud license.

      As i understand this is easily achievable with Ldap + Fac.

      I don't know at the moment if the Radius server is capable of SCIM, if yes, i'll follow your advices.

      In this case, after configuring the remote user sync rule of type SCIM, where does the remote RADIUS server object to be linked to the SCIM need to be configured? Under the Radius service tab?
      I'll have a call to discuss it with my client in the next days, i'll keep you posted.

      Meanwhile thank you for your help!

       

       

        Terms & ConditionsCookie settingsAccessibility statement