FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pkarna_FTNT
Staff
Staff
Description
This article describes how to integrate the remote authentication server when it is reachable via VPN.

Solution
Consider the below topology, where the remote authentication server [LDAP/RADIUS/FSSO/TACACS] with IP 192.168.1.10 is located behind FortiGate2.

Integrate the remote authentication server on FortiGate1.

FortiGate1 and FortiGate2 are connected via Site to Site VPN.

192.168.2.0/24 - - - - 192.168.2.1-FortiGate1 - - - - - Site to Site VPN - - - - - FortiGate2-192.168.1.1 - - - - 192.168.1.0/24

In these scenarios as there is VPN between 2 devices, set the “source-ip” as the FortiGate internal IP address if the server is on the other end of the tunnel.

So that a connection can be established successfully via VPN. And this is possible only via CLI.

Following is the configuration for the remote authentication server:

1) LDAP:
config user ldap
    edit LDAP-Server
        set server 192.168.1.10
        set source-ip 192.168.2.1
    end


2) FSSO (the FSSO agent is configured across the tunnel):
config user fsso
    edit FSSO-Agent
        set server 192.168.1.10
        set source-ip 192.168.2.1
    end

3) TACACS+:
config user tacacs+
    edit TACAS-Server
        set server 192.168.1.10
        set source-ip 192.168.2.1
    end

4) RADIUS:
config user radius
    edit RADIUS-Server
        set server 192.168.1.10
        set source-ip 192.168.2.1
    end

Note: If source-ip IS NOT configured, an “Server Unreachable” error will be seen.


Contributors