Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
rmharini
Staff
Staff

Created on ‎12-23-2024 02:58 AM Edited on ‎12-23-2024 02:59 AM By Community Manager

Article Id 365222

Technical Tip: How to configure two LDAP servers with FortiAuthenticator as a RADIUS server for SSL connection

Description

This article describes how to configure two LDAP servers with FortiAuthenticator as a RADIUS server for SSL connection. This article assumes the 'SSL VPN settings are configured' configurations are already in place in FortiGate.
Scope FortiGate, FortiAuthenticator.
Solution
  1. Configure two LDAP servers.  Expand Authentication -> Remote Auth. Servers -> LDAP.

 

ldap-config.png

 
  1. Import LDAP Users from both LDAP in FortiAuthenticator. Expand Authentication -> User Management -> Remote Users -> Select Import.

 

import_users.png

 

  1. Create a user group, select LDAP users, set 'Radius Attributes', and select Save. Expand Authentication -> User Management -> User groups

 

user-group.png

 

          user-group-attri.png

 

  1. Create a local realm for both LDAP servers.  Expand Authentication -> User Management -> Realms.

 

realm.png

 

  1. Configure Radius client (FortiGate) and Radius policies.  Any Username format can be selected. Select the LDAP groups created. Expand Authentication -> Radius Service -> Clients.

 

client.png

 

Expand Authentication -> Radius Service -> Policies.  On the Radius clients, Add the FortiGate which was configured as Radius client. 

 

radius-policy.png

 

  1. Add FortiAuthenticator as a Radius server in FortiGate. Login to FortiGate, then expand User & Authentication -> Radius Servers and select 'Create New'. 

 

radius-server.png

 

  1. Configure user group on the firewall. Expand User & Authentication -> User group and select Create New. It is also possible to create different user groups or use a single group and add the group names configured on FortiAuthenticator. In this setup, a different group have been created because each user group is assigned a different IP address range when connected to the VPN.

 

grp1.png

 

    grp-11.png

 

 

  1. Configure SSL VPN Settings and policy.  Configure the range of IP addresses to be assigned to the VPN:

 

config firewall address
    edit "ip-address-2"
        set uuid 7545d8c8-b6e2-51ef-c370-be808346bb61
        set type iprange
        set start-ip 2.2.2.1
        set end-ip 2.2.2.10
    next
end

 

edit "SSLVPN_TUNNEL_ADDR1"
    set uuid 04c6d0c6-b394-51ef-c0e9-7f410c6cc731
    set type iprange
    set start-ip 10.212.134.200
    set end-ip 10.212.134.210
next
end

 

Expand  VPN -> SSL VPN Settings:

 

ssl_VPN.png

 

  • Create different policies as each user group is assigned a different IP address range when connected to the VPN.

 

ssl-policy.png

 

Testing:

Note:

  • Users connecting to LDAP Group 1 via SSL VPN can log in using only their username. ex: nse8-user1
  • Users connecting to LDAP Group 2 via SSL VPN are required to log in using the realm\username format, as specified in the RADIUS policy. ex: ldap_2\harini 

 

Refer to the below KB article: Technical Tip: Username format used to connect to the SSL VPN when two LDAP servers are configured o...

 

  1. View the user authentication status in the Forti Authenticator GUI logs.  Expand Logging -> Log access> Logs:

 

success.png

 

success-2.png

 

  1. Enable debugging on FortiAuthenticator to see the Radius Authentication debug logs for SSL VPN connection.

https://Fortiauthenticator_IP/debug 

 

Radius Authentication debug logs the user nse8-user1:

 

2024-12-20T05:30:52.002231-08:00 FortiAuthenticator radiusd[19006]: (7) User-Name = "nse8-user1"
2024-12-20T05:30:52.003151-08:00 FortiAuthenticator radiusd[19006]: User-Name = "nse8-user1"
2024-12-20T05:30:52.003563-08:00 FortiAuthenticator radiusd[19006]: (7) facauth: ===>Username:nse8-user1
2024-12-20T05:30:52.010609-08:00 FortiAuthenticator radiusd[19006]: (7) facauth: Input raw_username: (null) Realm: (null) username: nse8-user1
2024-12-20T05:30:52.012668-08:00 FortiAuthenticator radiusd[19006]: (7) facauth: Cannot find local user nse8-user1
2024-12-20T05:30:52.014444-08:00 FortiAuthenticator radiusd[19006]: (7) facauth: LDAP user found: nse8-user1
2024-12-20T05:30:52.025749-08:00 FortiAuthenticator radiusd[19006]: (7) facauth: Try to bind with DN: CN=nse8-user1,CN=Users,DC=dxb-nse8,DC=lab
2024-12-20T05:30:52.038868-08:00 FortiAuthenticator radiusd[19006]: (7) facauth: Updated auth log 'nse8-user1': Remote LDAP user authentication with no token successful
2024-12-20T05:30:52.040965-08:00 FortiAuthenticator radiusd[19006]: (7) facauth: User-Name: nse8-user1 (from request)

 

On FortiGate:

 

get vpn ssl monitor

Index   User               Group              Source IP             Duration         I/O Bytes           Tunnel/Dest IP
0         nse8-user1    radius-grp1      10.107.3.131           134       157991/400884     10.212.134.200

 

  1. Radius Authentication debug logs the user ldap_2\\harini:

 

2024-12-20T02:54:42.833791-08:00 FortiAuthenticator radiusd[19006]: User-Name = "ldap_2\\harini"
2024-12-20T02:54:42.833923-08:00 FortiAuthenticator radiusd[19006]: (0) facauth: ===>Username:ldap_2\harini
2024-12-20T02:54:42.834936-08:00 FortiAuthenticator radiusd[19006]: (0) facauth: Input raw_username: (null) Realm: (null) username: ldap_2\harini
2024-12-20T02:54:42.841480-08:00 FortiAuthenticator radiusd[19006]: (0) facauth: Cannot find local user ldap_2\harini
2024-12-20T02:54:42.842022-08:00 FortiAuthenticator radiusd[19006]: (0) facauth: user: ldap_2\harini not found, update user and ip lockout with ip: (null)
2024-12-20T02:54:42.852847-08:00 FortiAuthenticator radiusd[19006]: (0) facauth: Updated auth log 'ldap_2\harini': User authentication with no token failed: user not found
2024-12-20T02:54:42.855516-08:00 FortiAuthenticator radiusd[19006]: (0) facauth: User-Name: ldap_2\harini (from request)
2024-12-20T05:36:39.033396-08:00 FortiAuthenticator radiusd[19006]: (8) User-Name = "ldap_2\\harini"
2024-12-20T05:36:39.035655-08:00 FortiAuthenticator radiusd[19006]: User-Name = "ldap_2\\harini"
2024-12-20T05:36:39.035841-08:00 FortiAuthenticator radiusd[19006]: (8) facauth: ===>Username:ldap_2\harini
2024-12-20T05:36:39.043728-08:00 FortiAuthenticator radiusd[19006]: (8) facauth: Input raw_username: ldap_2\harini Realm: ldap_2 username: harini
2024-12-20T05:36:39.045665-08:00 FortiAuthenticator radiusd[19006]: (8) facauth: Cannot find local user harini
2024-12-20T05:36:39.047432-08:00 FortiAuthenticator radiusd[19006]: (8) facauth: LDAP user found: harini
2024-12-20T05:36:39.047572-08:00 FortiAuthenticator radiusd[19006]: (8) facauth: Added Stripped-User-Name with value harini
2024-12-20T05:36:39.076062-08:00 FortiAuthenticator radiusd[19006]: (8) facauth: Try to bind with DN: CN=harini,CN=Users,DC=demo,DC=lab
2024-12-20T05:36:39.092056-08:00 FortiAuthenticator radiusd[19006]: (8) facauth: Updated auth log 'ldap_2\harini': Remote LDAP user authentication with no token successful

 

On FortiGate:

 

> get vpn ssl monitor

Index       User              Group              Source IP    Duration    I/O Bytes       Tunnel/Dest IP
0        ldap_2\harini     radius-grp2     10.107.3.131    67        74970/51556     2.2.2.1

 

Related articles:

Technical Tip: Username format used to connect to the SSL VPN when two LDAP servers are configured o...
Technical Tip: How to allow an LDAP user to change password at first logon or renew an expired passw...
65
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.