FortiAuthenticator Create multiple realm "host" to authenticate computer using EAP-TLS

Hey AsHub,

the configuration guide that I assume you're using (https://docs.fortinet.com/document/fortiauthenticator/6.5.0/cookbook/773402/computer-authentication) does indeed suggest the realm name 'host' as an example, but this is not a requirement. The realm name is only important if you have multiple realms in the same RADIUS policy on FortiAuthenticator and need to distinguish between them, AND you want the realm name stripped from the username.

As an example:

- two realms, 'ad' and 'ad2' in the same RADIUS policy
- user format set to 'user@realm' in RADIUS policy
- if a user logs in as 'user@ad' authentication will go to realm 'ad', and only 'user' will be authenticated
- if a user logs in as 'user@ad2', authentication will go to realm 'ad2', and only 'user' will be authenticated

- if a user logs in in any other way ('user', 'user@ad3', 'ad\user', 'ad2/user') then the entire string will be treated as username and sent to the default realm in that RADIUS policy.

Based on the cookbook article I referenced above, the realm-name is irrelevant: The example policy is configured with username format 'user@realm', but no machine account will have a name like 'computer$@host' or similar, and realm could be called 'xyz' or some other nonsense just as much.

If my assumption (as to the cookbook article and WHY the realm(s) should be named 'host) is incorrect, can you please clarify WHY the realms have to be called 'host'? FortiAuthenticator does not allow realms with the same name due to the realm-matching I described above; it would break if you could put two realms with the same name in the same RADIUS policy, so duplicate names are not allowed.

Cheers,

Debbie