Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
jiyong
Staff
Staff

Created on ‎02-03-2025 11:57 PM Edited on ‎03-19-2025 10:23 PM By Community Manager

Article Id 374548

Technical Tip: How to control remote users that are not imported

Description This article describes how to control non-imported remote users.
Scope FortiAuthenticator v6.4.5, v6.5.0.
Solution

There are cases where users who were not imported from Remote User are logged in. FortiAuthenticator provides the option to allow only imported users to connect via remote authentication.

 

fac-remoteuser-realm.PNG

 

Go under Authentication -> User Management > Realms -> 'Restrict authentication to imported user account only' // default disable.

 

When the 'test5' account is not imported, refer to the following for debugging according to the enable/disable options:

 

fac-remoteuser-test5.PNG

 

Case 1: Restrict authentication to imported user accounts only disable:


2025-01-20T21:50:12.009894-08:00 FortiAuthenticator radiusd[5236]: (0) facauth: Try to search user by: (&(objectClass=person)(sAMAccountName=test5))
2025-01-20T21:50:12.013245-08:00 FortiAuthenticator radiusd[5236]: (0) facauth: Entry #1: CN=test5,CN=Users,DC=jiyong,DC=com
2025-01-20T21:50:12.013411-08:00 FortiAuthenticator radiusd[5236]: (0) facauth: Found samAccountName: test5
2025-01-20T21:50:12.013468-08:00 FortiAuthenticator radiusd[5236]: (0) facauth: Found userPrincipalName: test5@jiyong.com
2025-01-20T21:50:12.013520-08:00 FortiAuthenticator radiusd[5236]: (0) facauth: Remote ldap entry #1: mail not found
2025-01-20T21:50:12.013570-08:00 FortiAuthenticator radiusd[5236]: (0) facauth: Found displayName: test5
2025-01-20T21:50:12.013620-08:00 FortiAuthenticator radiusd[5236]: (0) facauth: Found objectGUID: No8nc8RdmU6ALQg1XagssA==
2025-01-20T21:50:12.013670-08:00 FortiAuthenticator radiusd[5236]: (0) facauth: Remote ldap entry #1: mS-DS-ConsistencyGuid not found
2025-01-20T21:50:12.013838-08:00 FortiAuthenticator radiusd[5236]: (0) facauth: LDAP user found: test5
2025-01-20T21:50:12.013924-08:00 FortiAuthenticator radiusd[5236]: (0) facauth: User [enable fido: false, token count: 0, revoked_token_count: 0]
2025-01-20T21:50:12.014002-08:00 FortiAuthenticator radiusd[5236]: (0) facauth: Policy [fido_auth_opt: disabled, twofactor: password only, no_fido: two factor, revoked: reject]
2025-01-20T21:50:12.014077-08:00 FortiAuthenticator radiusd[5236]: (0) facauth: Decided on [is_fido: false, two_factor: password only, token_type: none]
2025-01-20T21:50:12.014176-08:00 FortiAuthenticator radiusd[5236]: (0) facauth: Added Stripped-User-Name with value test5
2025-01-20T21:50:12.014249-08:00 FortiAuthenticator radiusd[5236]: (0) facauth: check_user_lockout: fail_count=0 period=-1 reason=-1
2025-01-20T21:50:12.016276-08:00 FortiAuthenticator radiusd[5236]: (0) facauth: Try to bind with DN: CN=test5,CN=Users,DC=jiyong,DC=com
2025-01-20T21:50:12.016461-08:00 FortiAuthenticator radiusd[5236]: (0) facauth: authenticating without user_info_daemon.
2025-01-20T21:50:12.021857-08:00 FortiAuthenticator radiusd[5236]: (0) facauth: Binding successful
2025-01-20T21:50:12.022103-08:00 FortiAuthenticator radiusd[5236]: (0) facauth: Remote LDAP user password authenticated
2025-01-20T21:50:12.022399-08:00 FortiAuthenticator radiusd[5236]: update_ip_lockout for (10.0.3.225): non-admin login attempt: locking_period=60 locking_reason=2
2025-01-20T21:50:12.022476-08:00 FortiAuthenticator radiusd[5236]: (0) facauth: Authentication OK
2025-01-20T21:50:12.022523-08:00 FortiAuthenticator radiusd[5236]: (0) facauth: Setting 'Post-Auth-Type := FACAUTH'
2025-01-20T21:50:12.022615-08:00 FortiAuthenticator radiusd[5236]: (0) facauth: update_fac_authlog:161 nas_str = 10.11.0.254~10.0.3.225.
2025-01-20T21:50:12.024623-08:00 FortiAuthenticator radiusd[5236]: (0) facauth: Updated auth log 'test5' for attempt from 10.11.0.254~10.0.3.225: Remote LDAP user authentication from 10.0.3.225 with no token successful
2025-01-20T21:50:12.026303-08:00 FortiAuthenticator radiusd[5236]: (0) facauth: facauth: print reply attributes of request id 6:
2025-01-20T21:50:12.026440-08:00 FortiAuthenticator radiusd[5236]: Message-Authenticator := 0x00
2025-01-20T21:50:12.026509-08:00 FortiAuthenticator radiusd[5236]: (0) [facauth] = ok
2025-01-20T21:50:12.026569-08:00 FortiAuthenticator radiusd[5236]: (0) } # Auth-Type FACAUTH = ok
2025-01-20T21:50:12.026643-08:00 FortiAuthenticator radiusd[5236]: (0) Using Post-Auth-Type FACAUTH
2025-01-20T21:50:12.026711-08:00 FortiAuthenticator radiusd[5236]: (0) # Executing group from file /usr/etc/raddb/sites-enabled/default
2025-01-20T21:50:12.026984-08:00 FortiAuthenticator radiusd[5236]: (0) Post-Auth-Type FACAUTH {
2025-01-20T21:50:12.027067-08:00 FortiAuthenticator radiusd[5236]: (0) facauth: User-Name: test5 (from request)
2025-01-20T21:50:12.027434-08:00 FortiAuthenticator radiusd[5236]: (0) [facauth] = ok
2025-01-20T21:50:12.027708-08:00 FortiAuthenticator radiusd[5236]: (0) } # Post-Auth-Type FACAUTH = ok
2025-01-20T21:50:12.027869-08:00 FortiAuthenticator radiusd[5236]: (0) Sent Access-Accept Id 6 from 10.11.0.10:1812 to 10.11.0.254:5970 length 38
2025-01-20T21:50:12.027961-08:00 FortiAuthenticator radiusd[5236]: (0) Message-Authenticator := 0x00
2025-01-20T21:50:12.028329-08:00 FortiAuthenticator radiusd[5236]: (0) Finished request
2025-01-20T21:50:12.028443-08:00 FortiAuthenticator radiusd[5236]: Thread 5 waiting to be assigned a request
2025-01-20T21:50:12.323609-08:00 FortiAuthenticator radiusd[5236]: Waking up in 29.7 seconds.

 

Case 2: Restrict authentication to imported user accounts only enable:


2025-01-20T23:56:38.098339-08:00 FortiAuthenticator radiusd[4009]: (1) facauth: Try to search user by: (&(objectClass=person)(sAMAccountName=test5))
2025-01-20T23:56:38.098381-08:00 FortiAuthenticator radiusd[4009]: (1) facauth: ldap search cache hit:
2025-01-20T23:56:38.098400-08:00 FortiAuthenticator radiusd[4009]: (1) facauth: Entry[1]: There are 6 attributes. DN: CN=test5,CN=Users,DC=jiyong,DC=com
2025-01-20T23:56:38.098417-08:00 FortiAuthenticator radiusd[4009]: (1) facauth: Attribute name: userPrincipalName
2025-01-20T23:56:38.098433-08:00 FortiAuthenticator radiusd[4009]: (1) facauth: Attribute value: test5@jiyong.com
2025-01-20T23:56:38.098831-08:00 FortiAuthenticator radiusd[4009]: (1) facauth: Attribute name: sAMAccountName
2025-01-20T23:56:38.098865-08:00 FortiAuthenticator radiusd[4009]: (1) facauth: Attribute value: test5
2025-01-20T23:56:38.098884-08:00 FortiAuthenticator radiusd[4009]: (1) facauth: Attribute name: objectGUID
2025-01-20T23:56:38.098900-08:00 FortiAuthenticator radiusd[4009]: (1) facauth: Attribute value: No8nc8RdmU6ALQg1XagssA==
2025-01-20T23:56:38.098916-08:00 FortiAuthenticator radiusd[4009]: (1) facauth: Attribute name: displayName
2025-01-20T23:56:38.098931-08:00 FortiAuthenticator radiusd[4009]: (1) facauth: Attribute value: test5
2025-01-20T23:56:38.098948-08:00 FortiAuthenticator radiusd[4009]: (1) facauth: Attribute name: distinguishedName
2025-01-20T23:56:38.098965-08:00 FortiAuthenticator radiusd[4009]: (1) facauth: Attribute value: CN=test5,CN=Users,DC=jiyong,DC=com
2025-01-20T23:56:38.098981-08:00 FortiAuthenticator radiusd[4009]: (1) facauth: Attribute name: objectClass
2025-01-20T23:56:38.098997-08:00 FortiAuthenticator radiusd[4009]: (1) facauth: Attribute value: top
2025-01-20T23:56:38.099014-08:00 FortiAuthenticator radiusd[4009]: (1) facauth: Attribute value: person
2025-01-20T23:56:38.099349-08:00 FortiAuthenticator radiusd[4009]: (1) facauth: Attribute value: organizationalPerson
2025-01-20T23:56:38.099377-08:00 FortiAuthenticator radiusd[4009]: (1) facauth: Attribute value: user
2025-01-20T23:56:38.099395-08:00 FortiAuthenticator radiusd[4009]: (1) facauth: Entry #1: CN=test5,CN=Users,DC=jiyong,DC=com
2025-01-20T23:56:38.099414-08:00 FortiAuthenticator radiusd[4009]: (1) facauth: Found samAccountName: test5
2025-01-20T23:56:38.099430-08:00 FortiAuthenticator radiusd[4009]: (1) facauth: Found userPrincipalName: test5@jiyong.com
2025-01-20T23:56:38.099447-08:00 FortiAuthenticator radiusd[4009]: (1) facauth: Remote ldap entry #1: mail not found
2025-01-20T23:56:38.099463-08:00 FortiAuthenticator radiusd[4009]: (1) facauth: Found displayName: test5
2025-01-20T23:56:38.099481-08:00 FortiAuthenticator radiusd[4009]: (1) facauth: Found objectGUID: No8nc8RdmU6ALQg1XagssA==
2025-01-20T23:56:38.099497-08:00 FortiAuthenticator radiusd[4009]: (1) facauth: Remote ldap entry #1: mS-DS-ConsistencyGuid not found
2025-01-20T23:56:38.099521-08:00 FortiAuthenticator radiusd[4009]: (1) facauth: ERROR: We only support imported user, but user ('test5') cannot be found in DB
2025-01-20T23:56:38.099558-08:00 FortiAuthenticator radiusd[4009]: (1) facauth: user: test5 not found, update user and ip lockout with ip: 10.0.3.225
2025-01-20T23:56:38.099877-08:00 FortiAuthenticator radiusd[4009]: update_user_lockout: fail_count=0 locking_period=-1 locking_reason=-1
350
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.