Description
This article describes how to configure FortiAuthenticator so a remote LDAP administrator can log in to the FortiAuthenticator GUI using a mobile FortiToken code as Two-Factor Authentication.
Scope
FortiAuthenticator 6.4, FortiToken Mobile.
Solution
1) Ensure the remote LDAP administrator exists in the FortiAuthenticator user database.
2) Ensure the user has full Administrator permissions:
3) Create a realm that refers to the remote authentication server. FortiAuthenticator will authenticate the remote LDAP administrator against the 'ldap_ad' realm, which is Windows server 2019 in this example.
4) Navigate to System -> Administration -> System Access to define a created realm (ldap_ad) which FortiAuthenticator will check when the remote LDAP administrator tries to log in.
4) Use a group filter. This will mean only users from the group 'TAC_GRP' will be able to successfully access the FortiAuthenticator GUI. Here, the LDAP administrator 'matanaskovic' is a member of the 'TAC_GRP' user group on FortiAuthenticator.
5) Test a remote LDAP login to the FortiAuthenticator GUI using an administrator account.
The user will successfully log in to the FortiAuthenticator GUI. To verify, navigate to Logging -> Log Access -> Logs and https://fac-ip-or-fqdn/debug/radius for detailed radius authentication logs.
Debug Radius:
2022-12-21T16:43:07.655615+01:00 FortiAuthenticator radiusd[1340]: (39) Received Access-Request Id 187 from 127.0.0.1:46983 to 127.0.0.1:1812 length 92
2022-12-21T16:43:07.655671+01:00 FortiAuthenticator radiusd[1340]: (39) User-Name = "matanaskovic"
2022-12-21T16:43:07.655683+01:00 FortiAuthenticator radiusd[1340]: (39) Gandalf-Calling-Line-ID-1 = "10.5.63.254"
2022-12-21T16:43:07.655704+01:00 FortiAuthenticator radiusd[1340]: (39) NAS-IP-Address = 127.0.0.1
2022-12-21T16:43:07.655742+01:00 FortiAuthenticator radiusd[1340]: (39) NAS-Port = 20
2022-12-21T16:43:07.655752+01:00 FortiAuthenticator radiusd[1340]: (39) NAS-Identifier = "FAC_GUI"
2022-12-21T16:43:07.655761+01:00 FortiAuthenticator radiusd[1340]: (39) User-Password: ******
2022-12-21T16:43:07.655819+01:00 FortiAuthenticator radiusd[1340]: (39) # Executing section authorize from file /usr/etc/raddb/sites-enabled/default
2022-12-21T16:43:07.656491+01:00 FortiAuthenticator radiusd[1340]: (39) facauth: ===>NAS IP:127.0.0.1
2022-12-21T16:43:07.656529+01:00 FortiAuthenticator radiusd[1340]: (39) facauth: ===>Username:matanaskovic
2022-12-21T16:43:07.656549+01:00 FortiAuthenticator radiusd[1340]: (39) facauth: ===>Timestamp:1671637387.653188, age:3ms
2022-12-21T16:43:07.656622+01:00 FortiAuthenticator radiusd[1340]: (39) facauth: Setting 'Auth-Type := FACAUTH'
2022-12-21T16:43:07.656708+01:00 FortiAuthenticator radiusd[1340]: Not doing PAP as Auth-Type is already set.
2022-12-21T16:43:07.656735+01:00 FortiAuthenticator radiusd[1340]: (39) # Executing group from file /usr/etc/raddb/sites-enabled/default
2022-12-21T16:43:07.656800+01:00 FortiAuthenticator radiusd[1340]: (39) facauth: Client type: login portal (subtype: default)
2022-12-21T16:43:07.656811+01:00 FortiAuthenticator radiusd[1340]: (39) facauth: Input raw_username: (null) Realm: (null) username: matanaskovic
2022-12-21T16:43:07.656851+01:00 FortiAuthenticator radiusd[1340]: (39) facauth: Determined realm is: ldap_ad.
2022-12-21T16:43:07.656865+01:00 FortiAuthenticator radiusd[1340]: (39) facauth: Realm ldap_ad goes to remote LDAP, id: 1
2022-12-21T16:43:07.660216+01:00 FortiAuthenticator radiusd[1340]: (39) facauth: LDAP user found: matanaskovic
2022-12-21T16:43:07.660309+01:00 FortiAuthenticator radiusd[1340]: (39) facauth: User [enable fido: false, token count: 0, revoked_token_count: 0]
2022-12-21T16:43:07.660385+01:00 FortiAuthenticator radiusd[1340]: (39) facauth: Policy [fido_auth_opt: disabled, twofactor: allow both, no_fido: invalid, revoked: invalid]
2022-12-21T16:43:07.660455+01:00 FortiAuthenticator radiusd[1340]: (39) facauth: Decided on [is_fido: false, two_factor: allow both, token_type: Fortitoken]
2022-12-21T16:43:07.660523+01:00 FortiAuthenticator radiusd[1340]: (39) facauth: Info: Admin matanaskovic login access from 10.5.63.254.
2022-12-21T16:43:07.670635+01:00 FortiAuthenticator radiusd[1340]: (39) facauth: Try to bind with DN: CN=matanaskovic matanaskovic,OU=TAC,DC=forti,DC=lab
2022-12-21T16:43:07.675073+01:00 FortiAuthenticator radiusd[1340]: (39) facauth: Remote LDAP user password authenticated
2022-12-21T16:43:07.675206+01:00 FortiAuthenticator radiusd[1340]: (39) facauth: Partial auth done, challenge for token code
2022-12-21T16:43:07.675414+01:00 FortiAuthenticator radiusd[1340]: (39) facauth: Initiate push_auth for matanaskovic @ ldap_ad
2022-12-21T16:43:07.702299+01:00 FortiAuthenticator radiusd[1340]: (39) facauth: initiate_push_auth done: session_id=e8aad52458744bcc98e70fc2f4cdd7bf
2022-12-21T16:43:07.702396+01:00 FortiAuthenticator radiusd[1340]: (39) facauth: Sending Access-Challenge.
2022-12-21T16:43:07.702559+01:00 FortiAuthenticator radiusd[1340]: (39) facauth: Updated auth log 'matanaskovic': Remote LDAP administrator authentication partially done, expecting FortiToken
2022-12-21T16:43:07.702770+01:00 FortiAuthenticator radiusd[1340]: (39) # Executing group from file /usr/etc/raddb/sites-enabled/default
2022-12-21T16:43:07.702802+01:00 FortiAuthenticator radiusd[1340]: (39) Sent Access-Challenge Id 187 from 127.0.0.1:1812 to 127.0.0.1:46983 length 0
2022-12-21T16:43:07.702832+01:00 FortiAuthenticator radiusd[1340]: (39) Fortinet-FAC-Auth-Status = "srvr:rldap:1 user_id:67 flag:admin"
2022-12-21T16:43:07.702852+01:00 FortiAuthenticator radiusd[1340]: (39) User-Name = "id=1:matanaskovic;DN:CN=matanaskovic matanaskovic,OU=TAC,DC=forti,DC=lab"
2022-12-21T16:43:07.702882+01:00 FortiAuthenticator radiusd[1340]: (39) Reply-Message = "+Enter token code or no code to send a notification to your FortiToken Mobile"
2022-12-21T16:43:07.702896+01:00 FortiAuthenticator radiusd[1340]: (39) Gandalf-Hunt-Group = "e8aad52458744bcc98e70fc2f4cdd7bf"
2022-12-21T16:43:07.702911+01:00 FortiAuthenticator radiusd[1340]: (39) Fortinet-FAC-Challenge-Code = "001"
2022-12-21T16:43:07.705675+01:00 FortiAuthenticator radiusd[1340]: (39) State = 0x31
2022-12-21T16:43:08.322012+01:00 FortiAuthenticator radiusd[1340]: Waking up in 29.3 seconds.
2022-12-21T16:43:11.325280+01:00 FortiAuthenticator radiusd[1340]: Waking up in 0.6 seconds.
2022-12-21T16:43:11.327348+01:00 FortiAuthenticator radiusd[1340]: (40) Received Access-Request Id 177 from 127.0.0.1:51905 to 127.0.0.1:1812 length 76
2022-12-21T16:43:11.327374+01:00 FortiAuthenticator radiusd[1340]: (40) User-Name = "matanaskovic"
2022-12-21T16:43:11.327403+01:00 FortiAuthenticator radiusd[1340]: (40) NAS-IP-Address = 127.0.0.1
2022-12-21T16:43:11.327430+01:00 FortiAuthenticator radiusd[1340]: (40) NAS-Port = 20
2022-12-21T16:43:11.327440+01:00 FortiAuthenticator radiusd[1340]: (40) State = 0x31
2022-12-21T16:43:11.327449+01:00 FortiAuthenticator radiusd[1340]: (40) NAS-Identifier = "FAC_GUI"
2022-12-21T16:43:11.327457+01:00 FortiAuthenticator radiusd[1340]: (40) User-Password: ******
2022-12-21T16:43:11.327501+01:00 FortiAuthenticator radiusd[1340]: (40) # Executing section authorize from file /usr/etc/raddb/sites-enabled/default
2022-12-21T16:43:11.327869+01:00 FortiAuthenticator radiusd[1340]: (40) facauth: ===>NAS IP:127.0.0.1
2022-12-21T16:43:11.327887+01:00 FortiAuthenticator radiusd[1340]: (40) facauth: ===>Username:matanaskovic
2022-12-21T16:43:11.327912+01:00 FortiAuthenticator radiusd[1340]: (40) facauth: ===>Timestamp:1671637391.325029, age:2ms
2022-12-21T16:43:11.327929+01:00 FortiAuthenticator radiusd[1340]: (40) facauth: Setting 'Auth-Type := FACAUTH'
2022-12-21T16:43:11.327955+01:00 FortiAuthenticator radiusd[1340]: Not doing PAP as Auth-Type is already set.
2022-12-21T16:43:11.327984+01:00 FortiAuthenticator radiusd[1340]: (40) # Executing group from file /usr/etc/raddb/sites-enabled/default
2022-12-21T16:43:11.328000+01:00 FortiAuthenticator radiusd[1340]: (40) facauth: This is a response to Access-Challenge
2022-12-21T16:43:11.328013+01:00 FortiAuthenticator radiusd[1340]: (40) facauth: Partial auth user found
2022-12-21T16:43:11.328036+01:00 FortiAuthenticator radiusd[1340]: (40) facauth: Successfully found partially authenticated user instance.
2022-12-21T16:43:11.329499+01:00 FortiAuthenticator radiusd[1340]: (40) facauth: Check push_auth for FTK-Mobile client
2022-12-21T16:43:11.330672+01:00 FortiAuthenticator radiusd[1340]: (40) facauth: Sending request: [1][32][e8aad52458744bcc98e70fc2f4cdd7bf]
2022-12-21T16:43:11.371973+01:00 FortiAuthenticator radiusd[1340]: (40) facauth: check_push_auth done: auth_result=0
2022-12-21T16:43:11.415124+01:00 FortiAuthenticator radiusd[1340]: Update lastgood/drift successful
2022-12-21T16:43:11.415865+01:00 FortiAuthenticator radiusd[1340]: (40) facauth: Authentication OK
2022-12-21T16:43:11.415905+01:00 FortiAuthenticator radiusd[1340]: (40) facauth: Setting 'Post-Auth-Type := FACAUTH'
2022-12-21T16:43:11.416099+01:00 FortiAuthenticator radiusd[1340]: (40) facauth: Updated auth log 'matanaskovic': Remote LDAP administrator authentication with FortiToken successful
2022-12-21T16:43:11.416319+01:00 FortiAuthenticator radiusd[1340]: (40) # Executing group from file /usr/etc/raddb/sites-enabled/default
2022-12-21T16:43:11.416360+01:00 FortiAuthenticator radiusd[1340]: (40) Sent Access-Accept Id 177 from 127.0.0.1:1812 to 127.0.0.1:51905 length 0
2022-12-21T16:43:11.416384+01:00 FortiAuthenticator radiusd[1340]: (40) Fortinet-FAC-Auth-Status = "srvr:rldap:1 user_id:67 realm_id:4 flag:admin"
2022-12-21T16:43:11.416398+01:00 FortiAuthenticator radiusd[1340]: (40) User-Name = "id=1:matanaskovic;DN:CN=matanaskovic matanaskovic,OU=TAC,DC=forti,DC=lab"
Related articles:
- https://docs.fortinet.com/document/fortiauthenticator/6.4.6/administration-guide/485114
