FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
matanaskovic
Staff
Staff
Article Id 228726

Description

 

This article describes how to automatically assign FortiToken Mobile authentication to all active directory users.

 

Scope

 

FortiAuthenticator 6.4.

 

Solution

 

First of all, create an LDAP server. This article uses a Windows server 2019 system. The user is an administrator user with admin privileges on query elements from the LDAP server.

 

matanaskovic_1-1667392329226.png

 

Navigate to Authentication > User Management > Remote User Sync Rules > Create New.

 

matanaskovic_0-1667481378988.png

 

Under OTP method assignment priority, enable FortiToken Mobile (assign an available token) under the sync rule. It's possible to drag and drop OTP methods.

 

Save the remote sync rule settings and run a Manual Sync.

 

matanaskovic_1-1667481461643.png

 

Logs will detail everything about sync rules and imported users:

 

level="information" nas="" action="" status="" msg="Successfully synced (rule: TAC-SUPP) with DC-boss on Thu Nov 3 14:18:33 2022." user=""
level="information" nas="" action="" status="" msg="Found 0 modified FTC users for sync (rule: TAC-SUPP) with DC-boss (10.0.0.100)" user=""
level="information" nas="" action="Add" status="" msg="Successfully assigned token to matanaskovic (rule: TAC-SUPP) @ DC-boss (10.0.0.100) with FortiToken Mobile ("FTKMOB0A8ABCXZY!") token-based authentication." user="matanaskovic"
level="information" nas="" action="Edit" status="" msg="Edited Remote LDAP User: matanaskovic (changed fields: FortiToken)" user="admin"
level="information" nas="" action="" status="" msg="Assigning remote LDAP user matanaskovic with FortiToken Mobile FTKMOB0A8ABCXZY!, activation code EEIJ************." user=""
level="information" nas="" action="" status="" msg="smtp mail: send to testtest@mail.com via localhost:25 ok" user="admin"
level="information" nas="" action="Add" status="" msg="Added Remote LDAP User: matanaskovic" user="admin"
level="information" nas="" action="" status="" msg="Retrieved 1 user(s) from the remote LDAP server "DC-boss (10.0.0.100)". (sync rule: TAC-SUPP)" user=""
level="information" nas="" action="" status="" msg="Performing remote LDAP user sync (rule: TAC-SUPP) with DC-boss (10.0.0.100)." user=""

 

To verify the logs are accurate, check to ensure each user is automatically assigned with FortiToken Mobile authentication:

 

matanaskovic_2-1667482079490.png

 

 

Related articles:

https://docs.fortinet.com/document/fortiauthenticator/6.4.4/administration-guide/700989/fortiauthent...

https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-Migrating-users-and-FortiTokens-t...