FortiAuthenticator requires user defined on Fortigate as Remote User - surely not correct

i had similar case and this was my configuration.

let the communication pass thru Radius, config FortiGate and FAC radius service, then configure FAC to talked to your LDAP server.

under FAC, you need to define Realm, Radius Service Policy and User groups including Radius attributes. Please check also from FAC admin guide how to use with "LDAP filter".

Now under FG you can define group name similar to your FAC user group created.

Hi,

Having users on FortiGate, specified, type radius, would work for a few users, especially if you'd like to provide those with FortiToken 2FA but your remote server is not capable of doing 2FA.

But you mentioned FortiAuthenticator !

So there is definitely no need to have users local on FortiGate, even for 2FA.

Therefore completely remote users IS the right way. 

First I would highly suggest to have local users defined on FortiGate kept inside a separate user group from those of remote origin.

And so have separate user group for users from remote server, like RADIUS, where this server is defined as sole/exclusive member of user group on FortiGate (NOT mixed with other users).

Then in simplest way possible all the users matching this remote server (those who will be able to successfully authenticate against that server) will be seen as members of this group.

That should work and is simplest way possible how to get remote users from RADIUS (or other things like LDAP/TACACS+) being group members on FortiGate.

Then you can complicate and narrow the things a bit (and I would recommend to get better control over allowed users).

Either on FortiGate side, by feature called "group match", which allows only specific users from remote server, those bearing Fortinet-Group-Name AVP (for RADIUS) and where this string from Access-Accept match user group definition on FortiGate, being only allowed members of the group.

More on Group match in old, but still valid, KB article:

https://kb.fortinet.com/k...amp;externalId=FD36464

Or by narrowing realm and RADIUS Client policy on FortiAuthenticator side only, also to allow only specific users defined on FortiAuthenticator to pass to RADIUS Client (FortiGate in this role).

OR, best way possible, combine those together, so:

---

1. FortiAuthenticator (FAC hereinafter)

- define where you'll get users from, as those can be local users on FAC, or users learned/synced to FAC from your LDAP via Authentication > User Management > Remote User Sync Rules

- group those users on FAC to local group

- set additional RADIUS attributes (AVPs) per group and set Fortinets' Fortinet-Group-Name to string, that will be inherited by all the local users from this group when they authenticate and propagated into Access-Accept

- set realm

- set RADIUS Client > Policy, to use this realm AND !! do NOT FORGET to edit/set allowed groups and select created group, otherwise users will authenticate against realm but would not inherit anything from group AVPs settings

2. FortiGate (FGT hereinafter)

- set RADIUS Server - point to FAC

- set user group with FAC as only member

- set group match to explicitly same string as you have set in FAC and APV Fortinet-Group-Name

- use that group in policy

- test (even 'diag test auth radius <SERVER-FAC> pap <testuser> <password>' should return group membership learned from RADIUS server via/from  Access-Accept / Fortinet-Group-Name )

Use, share, enjoy.