Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
dbu
Staff
Staff

Created on ‎08-04-2023 01:50 AM Edited on ‎06-27-2024 08:56 AM By Staff

Article Id 267511

Technical Tip: Realm-based authentication with local and remote users

Description This article describes RADIUS realms and how to use multiple realms to authenticate users from multiple identity sources.
Scope Any supported version of FortiAuthenticator with local users and remote LDAP and RADIUS users.
Solution

For more information about FortiAuthenticator realms, see the documentation.

 

Authentication realms are created by going to Authentication -> User Management -> Realms.

Note: the name defined here is the realm that needs to be appended to the username when authenticating.

 

realm1.PNG

 

In this example, a RADIUS policy has been configured with multiple realms for authenticating users from a Local database and the remote LDAP and RADIUS servers.


realm3.PNG

 

Intended authentication objectives for this policy:

  • Users without a realm appended to the username are authenticated against the default realm named 'local' created for the local users (in the internal database).
  • Users with realm 'testlab.com' appended to the username are authenticated against the Active Directory 'LDAP'.
  • Users with realm 'radiusrealm' appended to the username are authenticated against the Radius server 'Remote_RADIUS_Server'.

 

There are three types of username format that can be used:

  • username@realm.
  • realm\username.
  • realm/username.

 

In this example, the format 'username@realm' is configured to be used on the policy.

 

realm2.PNG

 

Realms will be matched from top to bottom.

 

Username used:

  • admin: this will match the local realm. An attempt will be made to authenticate it against the local database because the realm is not specified.
  • admin@testlab.com: this will be authenticated against the remote 'LDAP' server because the 'testlab.com' realm is specified.
  • admin@radiusrealm: this will be authenticated against the remote 'Remote_RADIUS_Server' server because the 'radiusrealm' realm is specified.

Related article (explains the "Filter" button of the screenshot):
Technical tip: How to fix 'user not filtered by groups' error
1417
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.