FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
acvaldez
Staff
Staff
Article Id 200105
Description

This article discuss about failover scenarios of ACTIVE/PASSIVE with  Load Balancing Slave HA on FortiAuthenticator.

Scope

 

Solution

Configure A-P FortiAuthenticatorcluster and make sure that there are in synced.


When LB slave is configured it is necessary to point the HA config to MGMT IP of primary FortiAuthenticator.


The primary FortiAuthenticator will be the one to send the information of the MGMT IP of secondary FortiAuthenticator.

 

Reference for the configuration:

https://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD53386

SCENARIO A:

- PRIMARY FortiAuthenticator is dead.


- LB SLAVE will automatically communicate and synced to secondary FortiAuthenticator ( secondary FortiAuthenticator now will be the LB Master).

SCENARIO B:

- PRIMARY FortiAuthenticator and LB SLAVE are dead. Both become defective.


- New LB SLAVE arrived (RMA) but still the PRIMARY FortiAuthenticator is still dead.


- It is necessary to configure the FAC LB SLAVE to sync to MGMT IP of the secondary FortiAuthenticator because the primary FortiAuthenticator is still dead.


- Why? It is necessary to do this because on this scenario the LB SLAVE is totally new unit (RMA) so it make sense that it is necessary to do configuration base on your current scenario.


- Where in, current scenario is the primary FortiAuthenticator is dead and the only FortiAuthenticator in possession is secondary.

There is then any choice, but to use the secondary FortiAuthenticator now as the LB MASTER

SCENARIO C:


- New PRIMARY FortiAuthenticator arrived.


- Now just join this on the HA A-P cluster but make sure to set this unit as the slave FortiAuthenticator .


- Once joined on cluster the working FortiAuthenticator LB MASTER will automatically introduce the IP of the slave unit to the LB SLAVE.


- Two FortiAuthenticator MGMT IP again will be visible on LB slave.

 

SCENARIO D:


- FortiAuthenticator PRIMARY is dead.


- SECONDARY FortiAuthenticator is UP.


- LB SLAVE got restarted/shutdown.


- Once LB SLAVE boot it will still be knowledgeable that the SECONDARY FortiAuthenticator is the LB MASTER.

Note: In case of FAC HA LB (Active/Active) mode If the standalone primary is down and we want to be able to authenticate users through next Active FortiAuthenticator we need to define the IP addresses of FACs on Radius client (FortiGate) for Primary Radius Server, Secondary Radius Server and Tertiary Radius Server .
From GUI we can define only Primary and Secondary radius server:
Radius client.png


On CLI, it is possible to set up tertiary radius servers:
 

FGT # config user radius
FGT (radius) # edit <Radius Name>
(Radius name) # set secondary-server <FAC LB node IP>
secondary-server                               Secondary RADIUS CN domain name or IP address.

(Radius name) # set secondary-secret <PSK>
secondary-secret                               Secret key to access the secondary server.
(Radius name) # set tertiary

tertiary-server                                Tertiary RADIUS CN domain name or IP address.

tertiary-secret                                Secret key to access the tertiary server.