New Member

Solved

Fortiauthenticator ldap auth both dnshostname and samaccountname

Forum|Forum|4 years ago
April 16, 2022
5 replies
5396 views

Hi,

Is it possible to use both SamAccountName and DnsHostname authenticated against same LDAP server. I cannot get it worked. If I changed the username attribute to dnshostname as below it authenticates with dnshostname but not with samaccountname, how can I get both working so I can authenticate using both computer name and username ?

Thanks

Thilina

FortiAuthenticator v5.5

Best answer by Markus_M

Hi Thilina,

you need to create 2 LDAP server entries. Not two entries within one LDAP server.

You can define the "realm" that your users are in, if need be.

You will likely already have two RADIUS policies that refer to your user bases.

- wired users, so a switch as a RADIUS client.

- wireless users - a WLC as a RADIUS client.

Best regards,

Markus

Markus_M

Staff & Editor

Hi,

No. You cannot do this in one LDAP entry. The entry will ask for the supplied username to be found in the Username Attribute. This is intended as you do not mix computer and username attributes and then put them into a group.

A computer can be used by multiple users.

A user can use multiple computers.

To accommodate appropriate settings for the objects, you will need to create two LDAP server entries.

Best regards,

Markus

thilinapmAuthor

New Member

Thanks Markus ,

But what if I need to do peap for wired users using computer name authentication and Wireless authentication using User authentication on BYOD devices ? , I cannot get it work because of this limitation.

And I cant create 02 ldap server entries to the same server, it doesnt allow that.

Thanks

Thilina

Markus_MAnswer

Staff & Editor

Hi Thilina,

you need to create 2 LDAP server entries. Not two entries within one LDAP server.

You can define the "realm" that your users are in, if need be.

You will likely already have two RADIUS policies that refer to your user bases.

- wired users, so a switch as a RADIUS client.

- wireless users - a WLC as a RADIUS client.

Best regards,

Markus

thilinapmAuthor

New Member

Thanks Markus,

I believe you meant another LDAP entry to another DC in same domain, right?

Regards

Thilina

Markus_M

Staff & Editor

Hello Thilina,

Another LDAP entry, but it can be the same domain (try it out!).

The mapping is the important part. One LDAP entry can be used for one LDAP attribute, as samaccountname, the other LDAP entry can map another LDAP attribute as dnshostname.

Best regards,

Markus

jbackstrom

New Member

We have run this setup for a while where we have 3 LDAP server entries for samaccountname, UPN and dnshostname pointing to the same AD with different DNS names and IP adresses. However we have had issues where basically only one have been active at once causing issues. Our solution was changing "FortiAuthenticator NetBIOS name" to unique names for every entry along with separate service accounts for each entry. Adding this here to maybe spare some time for someone else.

Regards,

Joakim

kanes39

New Member

Hi @jbackstrom @Markus_M ,

Do you know if this feature is now supported on version 6.6.2 or any other version that may support it?

Appreciate if someone can assist.

Markus_M

Staff & Editor

Hi Kanes39,

there is no change, the FortiAuthenticator supported it all along, but makes it in my weird opinion more logic. FortiAuthenticator won't know there is a host authenticating or a user. While that is probably possible to automate with code change, it is already working as earlier described.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded