Description
This article describes how to configure FortiAuthenticator so a remote LDAP administrator can log in to the FortiAuthenticator GUI using a mobile FortiToken code as Two-Factor Authentication.
Scope
FortiAuthenticator 6.4, FortiToken Mobile.
Solution
1) Ensure the remote LDAP administrator exists in the FortiAuthenticator user database.
2) Ensure the user has full Administrator permissions:
3) Create a realm that refers to the remote authentication server. FortiAuthenticator will authenticate the remote LDAP administrator against the 'ldap_ad' realm, which is Windows server 2019 in this example.
4) Navigate to System -> Administration -> System Access to define a created realm (ldap_ad) which FortiAuthenticator will check when the remote LDAP administrator tries to log in.
4) Use a group filter. This will mean only users from the group 'TAC_GRP' will be able to successfully access the FortiAuthenticator GUI. Here, the LDAP administrator 'matanaskovic' is a member of the 'TAC_GRP' user group on FortiAuthenticator.
5) Test a remote LDAP login to the FortiAuthenticator GUI using an administrator account.
The user will successfully log in to the FortiAuthenticator GUI. To verify, navigate to Logging -> Log Access -> Logs and https://fac-ip-or-fqdn/debug/radius for detailed radius authentication logs.
Debug Radius:
2022-12-21T16:43:07.655615+01:00 FortiAuthenticator radiusd[1340]: (39) Received Access-Request Id 187 from 127.0.0.1:46983 to 127.0.0.1:1812 length 92
2022-12-21T16:43:07.655671+01:00 FortiAuthenticator radiusd[1340]: (39) User-Name = "matanaskovic"
2022-12-21T16:43:07.655683+01:00 FortiAuthenticator radiusd[1340]: (39) Gandalf-Calling-Line-ID-1 = "10.5.63.254"
2022-12-21T16:43:07.655704+01:00 FortiAuthenticator radiusd[1340]: (39) NAS-IP-Address = 127.0.0.1
2022-12-21T16:43:07.655742+01:00 FortiAuthenticator radiusd[1340]: (39) NAS-Port = 20
2022-12-21T16:43:07.655752+01:00 FortiAuthenticator radiusd[1340]: (39) NAS-Identifier = "FAC_GUI"
2022-12-21T16:43:07.655761+01:00 FortiAuthenticator radiusd[1340]: (39) User-Password: ******
2022-12-21T16:43:07.655819+01:00 FortiAuthenticator radiusd[1340]: (39) # Executing section authorize from file /usr/etc/raddb/sites-enabled/default
2022-12-21T16:43:07.656491+01:00 FortiAuthenticator radiusd[1340]: (39) facauth: ===>NAS IP:127.0.0.1
2022-12-21T16:43:07.656529+01:00 FortiAuthenticator radiusd[1340]: (39) facauth: ===>Username:matanaskovic
2022-12-21T16:43:07.656549+01:00 FortiAuthenticator radiusd[1340]: (39) facauth: ===>Timestamp:1671637387.653188, age:3ms
2022-12-21T16:43:07.656622+01:00 FortiAuthenticator radiusd[1340]: (39) facauth: Setting 'Auth-Type := FACAUTH'
2022-12-21T16:43:07.656708+01:00 FortiAuthenticator radiusd[1340]: Not doing PAP as Auth-Type is already set.
2022-12-21T16:43:07.656735+01:00 FortiAuthenticator radiusd[1340]: (39) # Executing group from file /usr/etc/raddb/sites-enabled/default
2022-12-21T16:43:07.656800+01:00 FortiAuthenticator radiusd[1340]: (39) facauth: Client type: login portal (subtype: default)
2022-12-21T16:43:07.656811+01:00 FortiAuthenticator radiusd[1340]: (39) facauth: Input raw_username: (null) Realm: (null) username: matanaskovic
2022-12-21T16:43:07.656851+01:00 FortiAuthenticator radiusd[1340]: (39) facauth: Determined realm is: ldap_ad.
2022-12-21T16:43:07.656865+01:00 FortiAuthenticator radiusd[1340]: (39) facauth: Realm ldap_ad goes to remote LDAP, id: 1
2022-12-21T16:43:07.660216+01:00 FortiAuthenticator radiusd[1340]: (39) facauth: LDAP user found: matanaskovic
2022-12-21T16:43:07.660309+01:00 FortiAuthenticator radiusd[1340]: (39) facauth: User [enable fido: false, token count: 0, revoked_token_count: 0]
2022-12-21T16:43:07.660385+01:00 FortiAuthenticator radiusd[1340]: (39) facauth: Policy [fido_auth_opt: disabled, twofactor: allow both, no_fido: invalid, revoked: invalid]
2022-12-21T16:43:07.660455+01:00 FortiAuthenticator radiusd[1340]: (39) facauth: Decided on [is_fido: false, two_factor: allow both, token_type: Fortitoken]
2022-12-21T16:43:07.660523+01:00 FortiAuthenticator radiusd[1340]: (39) facauth: Info: Admin matanaskovic login access from 10.5.63.254.
2022-12-21T16:43:07.670635+01:00 FortiAuthenticator radiusd[1340]: (39) facauth: Try to bind with DN: CN=matanaskovic matanaskovic,OU=TAC,DC=forti,DC=lab
2022-12-21T16:43:07.675073+01:00 FortiAuthenticator radiusd[1340]: (39) facauth: Remote LDAP user password authenticated
2022-12-21T16:43:07.675206+01:00 FortiAuthenticator radiusd[1340]: (39) facauth: Partial auth done, challenge for token code
2022-12-21T16:43:07.675414+01:00 FortiAuthenticator radiusd[1340]: (39) facauth: Initiate push_auth for matanaskovic @ ldap_ad
2022-12-21T16:43:07.702299+01:00 FortiAuthenticator radiusd[1340]: (39) facauth: initiate_push_auth done: session_id=e8aad52458744bcc98e70fc2f4cdd7bf
2022-12-21T16:43:07.702396+01:00 FortiAuthenticator radiusd[1340]: (39) facauth: Sending Access-Challenge.
2022-12-21T16:43:07.702559+01:00 FortiAuthenticator radiusd[1340]: (39) facauth: Updated auth log 'matanaskovic': Remote LDAP administrator authentication partially done, expecting FortiToken
2022-12-21T16:43:07.702770+01:00 FortiAuthenticator radiusd[1340]: (39) # Executing group from file /usr/etc/raddb/sites-enabled/default
2022-12-21T16:43:07.702802+01:00 FortiAuthenticator radiusd[1340]: (39) Sent Access-Challenge Id 187 from 127.0.0.1:1812 to 127.0.0.1:46983 length 0
2022-12-21T16:43:07.702832+01:00 FortiAuthenticator radiusd[1340]: (39) Fortinet-FAC-Auth-Status = "srvr:rldap:1 user_id:67 flag:admin"
2022-12-21T16:43:07.702852+01:00 FortiAuthenticator radiusd[1340]: (39) User-Name = "id=1:matanaskovic;DN:CN=matanaskovic matanaskovic,OU=TAC,DC=forti,DC=lab"
2022-12-21T16:43:07.702882+01:00 FortiAuthenticator radiusd[1340]: (39) Reply-Message = "+Enter token code or no code to send a notification to your FortiToken Mobile"
2022-12-21T16:43:07.702896+01:00 FortiAuthenticator radiusd[1340]: (39) Gandalf-Hunt-Group = "e8aad52458744bcc98e70fc2f4cdd7bf"
2022-12-21T16:43:07.702911+01:00 FortiAuthenticator radiusd[1340]: (39) Fortinet-FAC-Challenge-Code = "001"
2022-12-21T16:43:07.705675+01:00 FortiAuthenticator radiusd[1340]: (39) State = 0x31
2022-12-21T16:43:08.322012+01:00 FortiAuthenticator radiusd[1340]: Waking up in 29.3 seconds.
2022-12-21T16:43:11.325280+01:00 FortiAuthenticator radiusd[1340]: Waking up in 0.6 seconds.
2022-12-21T16:43:11.327348+01:00 FortiAuthenticator radiusd[1340]: (40) Received Access-Request Id 177 from 127.0.0.1:51905 to 127.0.0.1:1812 length 76
2022-12-21T16:43:11.327374+01:00 FortiAuthenticator radiusd[1340]: (40) User-Name = "matanaskovic"
2022-12-21T16:43:11.327403+01:00 FortiAuthenticator radiusd[1340]: (40) NAS-IP-Address = 127.0.0.1
2022-12-21T16:43:11.327430+01:00 FortiAuthenticator radiusd[1340]: (40) NAS-Port = 20
2022-12-21T16:43:11.327440+01:00 FortiAuthenticator radiusd[1340]: (40) State = 0x31
2022-12-21T16:43:11.327449+01:00 FortiAuthenticator radiusd[1340]: (40) NAS-Identifier = "FAC_GUI"
2022-12-21T16:43:11.327457+01:00 FortiAuthenticator radiusd[1340]: (40) User-Password: ******
2022-12-21T16:43:11.327501+01:00 FortiAuthenticator radiusd[1340]: (40) # Executing section authorize from file /usr/etc/raddb/sites-enabled/default
2022-12-21T16:43:11.327869+01:00 FortiAuthenticator radiusd[1340]: (40) facauth: ===>NAS IP:127.0.0.1
2022-12-21T16:43:11.327887+01:00 FortiAuthenticator radiusd[1340]: (40) facauth: ===>Username:matanaskovic
2022-12-21T16:43:11.327912+01:00 FortiAuthenticator radiusd[1340]: (40) facauth: ===>Timestamp:1671637391.325029, age:2ms
2022-12-21T16:43:11.327929+01:00 FortiAuthenticator radiusd[1340]: (40) facauth: Setting 'Auth-Type := FACAUTH'
2022-12-21T16:43:11.327955+01:00 FortiAuthenticator radiusd[1340]: Not doing PAP as Auth-Type is already set.
2022-12-21T16:43:11.327984+01:00 FortiAuthenticator radiusd[1340]: (40) # Executing group from file /usr/etc/raddb/sites-enabled/default
2022-12-21T16:43:11.328000+01:00 FortiAuthenticator radiusd[1340]: (40) facauth: This is a response to Access-Challenge
2022-12-21T16:43:11.328013+01:00 FortiAuthenticator radiusd[1340]: (40) facauth: Partial auth user found
2022-12-21T16:43:11.328036+01:00 FortiAuthenticator radiusd[1340]: (40) facauth: Successfully found partially authenticated user instance.
2022-12-21T16:43:11.329499+01:00 FortiAuthenticator radiusd[1340]: (40) facauth: Check push_auth for FTK-Mobile client
2022-12-21T16:43:11.330672+01:00 FortiAuthenticator radiusd[1340]: (40) facauth: Sending request: [1][32][e8aad52458744bcc98e70fc2f4cdd7bf]
2022-12-21T16:43:11.371973+01:00 FortiAuthenticator radiusd[1340]: (40) facauth: check_push_auth done: auth_result=0
2022-12-21T16:43:11.415124+01:00 FortiAuthenticator radiusd[1340]: Update lastgood/drift successful
2022-12-21T16:43:11.415865+01:00 FortiAuthenticator radiusd[1340]: (40) facauth: Authentication OK
2022-12-21T16:43:11.415905+01:00 FortiAuthenticator radiusd[1340]: (40) facauth: Setting 'Post-Auth-Type := FACAUTH'
2022-12-21T16:43:11.416099+01:00 FortiAuthenticator radiusd[1340]: (40) facauth: Updated auth log 'matanaskovic': Remote LDAP administrator authentication with FortiToken successful
2022-12-21T16:43:11.416319+01:00 FortiAuthenticator radiusd[1340]: (40) # Executing group from file /usr/etc/raddb/sites-enabled/default
2022-12-21T16:43:11.416360+01:00 FortiAuthenticator radiusd[1340]: (40) Sent Access-Accept Id 177 from 127.0.0.1:1812 to 127.0.0.1:51905 length 0
2022-12-21T16:43:11.416384+01:00 FortiAuthenticator radiusd[1340]: (40) Fortinet-FAC-Auth-Status = "srvr:rldap:1 user_id:67 realm_id:4 flag:admin"
2022-12-21T16:43:11.416398+01:00 FortiAuthenticator radiusd[1340]: (40) User-Name = "id=1:matanaskovic;DN:CN=matanaskovic matanaskovic,OU=TAC,DC=forti,DC=lab"
Related articles:
- https://docs.fortinet.com/document/fortiauthenticator/6.4.6/administration-guide/485114
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.