Skip to main content
abdulmoiz2006
abdulmoiz2006
New Member
June 8, 2021
Solved

new to fortiauthenticator, how does it work?

  • June 8, 2021
  • 1 reply
  • 10473 views

Hi Guys deploying new fortiauthenticator, i have few questions if you guys could help

 

- can I authenticate cisco switches with FAC, when I login via ssh or console that should check with FAC?

- how FAC works, I have many Fortigates so FAC will be linked with FGT and users will access via Forticlient or how?

i am little confused here, can we link FAC to cisco switch and do 802.1x port based or mac authentication? or need to link with FGT?

Best answer by xsilver_FTNT

As Yurisk already said, there are some ways how to authenticate even computers.

Possibilities are quite wide. Beside mentioned ones you can for example has your users logged to FAC and allow them to enroll their own device certificates .. you can limit how many devices they can enroll .. and then they can do 802.1x EAP-TLS wired or wifi auth .. for example.

Beside mentioned fact that FAC is in most basic form huge RADIUS server .. it's true, but more precisely it is auth concentrator and centralized point.

As for mentioned SSO it can read user data from many sources (RADIUS Accounting, Syslog, various Windows AD methods, FortClient with SSOMA (mobility agent modul in FortiClient) .. , process those logon data and pass them via filters and those fitting to specific need push to connected FortiGate units.

But besides RADIUS and FSSO, it is also token handling platform (FortiTokens, Ubikeys directly, 3rd part like RSA via auth chaining to the RSA server, even combining those 3rd party with LDAP/AD to single auth), SAML, OAuth, RADIUS Proxy (not only for Accounting data, but also RADIUS Authentication as it can use another RADIUS server as backend,  not just LDAP). Speaking of LDAP and in general, but it's usually used with AD, FAC can sync users based on some LDAP Filters and sort them to groups on FAC, alternatively assign tokens (FortiTokens/SMS/Email) to those users automatically during sync. Also keep user list so once you remove user from LDAP and/or once user stop matching the LDAP filter, that user can be automatically removed form FAC, and if he was provided with token that one will be recovered back to pool of free/available tokens (useful especially with Mobile tokens where you do not need to collect hardware token, which obviously is not possible automagically by FAC itself).

 

So, possibilities are pretty wide. It more depends on what do you truly need, and there even for specific task is usually more than one way how to achieve that.

 

Therefore you should be a bit more specific.

 

1 reply

Yurisk
SuperUser
Yurisk
SuperUser
June 9, 2021

Think of FAC as Radius server, it makes understanding much easier. As the consequence of it:

 

- Yes, Cisco switches/routers will work with FAC for Cli user authentication using the usual aaa authentication ... group radius

- FAC works by providing Radius services to the authenticating clients, while using Windows AD or own local databases as the source for users/passwords. Usually you link FAC to AD via LDAP protocol, then those users can authenticate against FAC using their AD credentials.

- How you use it depends on what you need. Using Forticlient (FC) most probably you mean Remote VPN connecting to Fortigates, then yes - FC connects to some Fortigate linked to FAC and authenticates user against FAC.

- FAC supports additionally SSO/SAML and probably other stuff (I don't use) I can't comment much on.

- From experience, most frequent case for FAC use is registering Fortitokens with it for MFA - this way a user can have just 1 FortiToken and connect to any device linked to FAC.

abdulmoiz2006
abdulmoiz2006Author
New Member
June 9, 2021

Yurisk wrote:

Think of FAC as Radius server, it makes understanding much easier. As the consequence of it:

 

- Yes, Cisco switches/routers will work with FAC for Cli user authentication using the usual aaa authentication ... group radius

- FAC works by providing Radius services to the authenticating clients, while using Windows AD or own local databases as the source for users/passwords. Usually you link FAC to AD via LDAP protocol, then those users can authenticate against FAC using their AD credentials.

- How you use it depends on what you need. Using Forticlient (FC) most probably you mean Remote VPN connecting to Fortigates, then yes - FC connects to some Fortigate linked to FAC and authenticates user against FAC.

- FAC supports additionally SSO/SAML and probably other stuff (I don't use) I can't comment much on.

- From experience, most frequent case for FAC use is registering Fortitokens with it for MFA - this way a user can have just 1 FortiToken and connect to any device linked to FAC.

thanks yurisk you are awesome, - how about the computer users how they will authenticate with FAC ?

- how computers can be authenticated? is there anything beside mab and dot1x?  is there any place or link I could get sample config that I can see and configure my FAC and cisco switches? 

Yurisk
SuperUser
Yurisk
SuperUser
June 9, 2021

- Local PCs/users can authenticate either via FAC SSO web based Portal or transparently if they have FortiClient SSO Mobility Agent installed . You CAN get it working without AD by creating local users on FAC, I just haven't seen someone doing it in production, usually there is already AD infrastructure in place.

- Fortinet have their own FortiNAC, I guess it does all the 802.1x stuff, but I haven't worked with it yet.

- If the admin guide of FAC is too much for 1st time, there are quite good videos by Fortinet introducing the initial configs and principles of work: https://video.fortinet.com/products. There are example configurations, but they are not sorted by their complexity, and it gives some 1000+ results, but here it is: search in Google  fortiauthenticator site:kb.fortinet.com 

Terms & ConditionsAccessibility statement