Technical Tip: Realm-based authentication with local and remote users

dbu · ‎08-04-2023

Description

This article describes RADIUS realms and how to use multiple realms to authenticate users from multiple identity sources.

Scope

Any supported version of FortiAuthenticator with local users and remote LDAP and RADIUS users.

Solution

For more information about FortiAuthenticator realms, see the documentation.

Authentication realms are created by going to Authentication -> User Management -> Realms.

Note: the name defined here is the realm that needs to be appended to the username when authenticating.

In this example, a RADIUS policy has been configured with multiple realms for authenticating users from a Local database and from remote LDAP and RADIUS servers.

Intended authentication objectives for this policy:

Users without a realm appended to the user name are authenticated against the default realm named 'local' created for the local users (in the internal DB).
Users with realm 'testlab.com' appended to the username are authenticated against the Active Directory 'LDAP'.
Users with realm 'radiusrealm' appended to the username are authenticated against Radius server 'Remote_RADIUS_Server'.

There are three types of username format that can be used:

username@realm
realm\username
realm/username

In this example, the format 'username@realm' is configured to be used on the policy.

Realms will be matched from top to bottom.

Username used:

admin: this will match the local realm. An attempt will be made to authenticate it against the local database because the realm is not specified.
admin@testlab.com: this will be authenticated against the remote 'LDAP' server because the 'testlab.com' realm is specified.
admin@radiusrealm: this will be authenticated against the remote 'Remote_RADIUS_Server' server because the 'radiusrealm' realm is specified.