RADIUS Depends on LDAP on FortiGate ?

Forum|Forum|1 year ago
April 10, 2025
2 replies
603 views

Hello everyone,

This morning we had a situation at the office.
We have a FortiGate 80F at the office.
So here’s what happened: we have VPN configured with MFA through an NPS server in Azure.
There’s a Site-to-Site (S2S) connection between On-Prem and Azure VNET.
This morning, the local Active Directory (AD) server went down, so the VPN couldn’t connect — even though we also have AD in Azure, which is accessible from On-Prem.
But we have the LDAP server configured to use the local AD.

So the question is:
Is the RADIUS server (configured on FortiGate) dependent on the LDAP server that is also configured on FortiGate?

Thank you in advance!

FortiGate

rbraha

Staff

Hi @shree083

By default when there is an request toward FGT ,FGT first will check local user database than if user is not found there ,will check whichever server reply first LDAP or Radius server then will proceed to authenticate user. So you have to make sure that not having the same LDAP server locally on FGT also Radius server having the same LDAP server on the other side, or you have to be carefully when selecting user groups in FGT or using realms to match the correct one.

Toshi_Esumi

SuperUser

You said "NPS server in Azure". Therefore I assume FGT's RADIUS server connection needs to reach the NPS over the VPN. Then if tunnel is not up, the FGT can't get to the NPS RADIUS proxy.

Toshi

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded