Description
This article describes the configuration required to permit FortiAuthenticator to join the AD environment.
Scope
FortiAuthenticator.
Solution
Once a remote LDAP server is added, it's possible to set the parameter required to add FortiAuthenticator as a machine inside the Active Director Environment.
Under the configuration for the remote LDAP server, go to Authentication -> Remote Auth. Servers -> LDAP.
Enable the Windows Active Directory Domain Authentication check box.
Fill in the above fields:
- Kerberos real name: Enter the domain’s name on DNS name in upper cases. Right click on the Domain Object in the AD server to obtain the value required.
- Domain NetBIOS Name: Enter the domain’s prefix in upper case.
- FortiAuthenticator NetBIOS name: Name used to identify the FortiAuthenticator on the domain.
- Administrator Username: Name of the user account used to associate the FortiAuthenticator with the domain name. The user must have at least Domain User Privileges. Use simple format, in some version neither DC nor UPN is supported.
- Administrator password: Password associated to the user specified.
Once configuration is complete, go to Monitor -> Authentication -> Windows AD and see the connection as 'Joined Domain, connected':
Next, 'Use Windows AD Domain Authentication' on the RADIUS clients configuration to use MSCHAP (V2).
If FortiAuthenticator is not correctly joined to the domain, this option will be unavailable.
Related Article:
