FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
Hawada1
Staff
Staff
Article Id 191446

Description


This article describes how to configure a FortiAuthenticator Layer 2 HA A-P cluster.

 

Scope

 

FortiAuthenticator.

Solution

 

  1. Before forming the HA cluster, take into consideration the below points and be aware of the following:
    Properly design the subnets used for HA management interfaces and other network interfaces.
  2. Important: Since the license key is bind to an IP address configured on the unit.
    It is important to assign it to the HA interface IP address. Otherwise, the slave node license will be unavailable due to IP overridden. Simply overcome the license issue by modifying the license file of the secondary unit under the support portal by pointing it to the HA management interface of the slave unit and reuploading it again to the slave.
  3. Both FortiAuthenticator devices must be the same model and firmware version.
  4. L2 communication is required between HA links.
  5. Failover approximately happens 30 seconds after a failure.
  6. All the configuration is synced except the HA settings and hostname.

 

Below is the Step-by-Step HA guide:

License Config:
After initial configuration, assign the license keys.

In this example, port4 is used to be the HA interface to which the license is assigned to:

  • FAC-Primary 172.16.0.1.
  • FAC-Secondary 172.16.0.2.

 
Then select 'License File Download'.
Upload the license file by going to System -> Administration -> Licensing and selecting 'OK':
 
 
 
 
After adding the license key, FortiAuthenticator will reboot automatically. Perform the same steps on the secondary unit.
 
A License Warning message will be received after accessing the units since the IP address bound to the license is not configured yet on the HA management interface.
This can be temporarily ignored at this step.
 
  

Configure High Availability Settings on the Primary unit.

Under System -> Administration -> High Availability and enable HA.

  • Role: select Cluster member for L2 cluster
  • Maintenance Mode: leave it Disabled.
  • Interface: select Port4.
  • Cluster member IP address: type the IP address that was bind to the license key '172.16.0.1'.
  • Priority: select High for Primary and Low for Slave.
  • Password: type any password but make sure to be the same on both units. Otherwise, the HA will not be formed.
  • Monitor interfaces: select the interfaces to monitor to trigger failover in case one of them fails.
 
After configuring all these steps select 'OK'.
 lmarinovic_1-1673887279264.png
 

User Inventory.
After adding the license and configuring the HA management IP address, make sure that all limitations of trial license have been removed by checking User Inventory in the status dashboard.

If the license is not reflected correctly, just reload the unit.
 
 

Configure High Availability Settings on the Secondary unit:

 
lmarinovic_2-1673887382879.png

 

 

HA Status.
Wait a few minutes to makes sure that all the configuration has been synced then check HA Status.

See the below result with a green check mark under Health status:
 

 

To access the HA management GUI IP of the HA interface of both units, it is necessary to have the Workstation in the same subnet as the HA interface configured on the FortiAuthenticator.

Node-Specific Default Gateway is an option if there are clusters in two different data centers and the default gateway for those data centers is different. Then you need to configure that option to be the correct gateway if failover occurs so that the node has access to the network.

If Node-Specific Default Gateway is set, that option will overwrite the default gateway in the static routing of the Node and that will become the new default gateway for the whole Node. Be careful with Node-Specific Default Gateway as it may lead to routing issues, especially after failover or failover to primary again.

 

From v6.6.0 there is the option to choose what will be the default gateway, node-specific gateway will be only used if the Override Static Routing setting is selected:

 

forKB.JPG

 

In the CLI Node Specific Gateway is ns-gw under the 'config system ha' setting:

 

set ns-gw <gateway> <----- Set a default gateway for the HA management interface.

 

Related documents:

6.6.0 CLI commands

Technical Tip: FortiAuthenticator HA cluster overview