| Solution |
In this case, FortiAuthenticator will be used as a RADIUS Server.
Windows Server 2016 as LDAP.
FortiAuthentication connection to LDAP Windows Server 2016 was already completed.
A new Active Directory user was created, named: 'webuser'.
Example to configure Remote LDAP Server in FortiAuthenticator:
FortiAuthenticator Configurations. After configuring the Remote LDAP Server In FortiAuthenticator.
- Connect FortiAuthenticator to FortiWeb.
- Go to Authentication -> RADIUS Service -> Client and select 'Create New'.
- Complete with FortiWeb Information: Name, IP, Secret.
- Import Remote LDAP user.
- Go to User Management -> Remote Users and select 'Import'.
- Select the Remote LDAP Server configured in FortiAuthenticator.
- Action: Import users / Import.
- Select users to Import to FortiAuthenticator and FortiWeb. In this example, the user to test is: 'webuser'.
- Create a User Group.
- Go to User Management -> User Group and select 'Create New'.
- Set Group Name.
- Select Type: Remote LDAP.
- Select Option: Set a list of imported remote LDAP users.
- Select the Remote LDAP Server.
- Select 'webuser' from the user list.
- Save.
- Configure Radius Attribute to User Group:
- Go to User Management -> User Groups, edit the group created, and configure Radius Attribute
- Set Vendor: Fortinet
- Set Attibute ID: Fortinet-Group-Name
- Set Value Type: Static
- Set Value: Fortiweb_Admin_Group: This Attribute will be used in the FortiWeb Admin Group.
- Set Type: String
- Create Realm.
- Go to Authentication -> User Management -> Realms.
- Create New.
- Set Real Name.
- Set User Source / Select Remote LDAP created.
- Save.
- Create RADIUS Policy.
- Go to Authentication -> RADIUS Service -> Policies and select 'Create New'.
RADIUS clients:
- Set Policy name.
- Select FortiWeb Client, configure, move to the right, and select 'Next'.
RADIUS attribute criteria:
- Keep default values and select 'Next'.
Authentication type:
- Keep default values and select 'Next'.
Identity sources:
- Select Realm created to Active Directory LDAP.
- Select Filter.
- Enable Filter and Select Fortiweb User Group created and select 'Next'.
Authentication factors:
- Keep default values and select 'Next'.
Radius response:
- Keep default values, select 'Save' and exit
FortiWeb Configurations.
- To configure the Remote RADIUS Server.
- Go to User -> Remote Server -> RADIUS Server and select 'Create New'.
- Complete with RADIUS information: Remote RADIUS IP, RADIUS port, Server Secret.
- By Default select: Authentication Scheme: DEFAULT.
- It is also possible to configure using FortiWeb CLI.
config user radius-user
edit "RADIUS" <----- Any RADIUS name.
set server 172.16.16.9 <----- Remote RADIUS IP.
set secret <RADIUS_password>
next
end
- To configure the Admin Group
- Go to User -> User Group -> Admin Group and select 'Create New'
- Set Name and select 'OK' to save
- In the same Window select 'Create New'
- Select User Type: RADIUS User
- Name: Select Remote RADIUS Server configured at 'Step 1'
- Set Group Name: Fortiweb_Admin_Group: This is the same Attribute configured in the FortiWeb User Group.
- Select 'OK' to save
- Creating Remote Admin Readius Administrator
- Go to System -> Admin -> Adminstrators and select 'Create New -> Administrator'
- Set Administrator: You can configure ANY name because the Wildcard option will be enabled to use only LDAP users in FortiAuthenticator Group.
- Select Type: Remote User
- Select Admin User Group: Radius_Admin_Group: This is the same Radius Group configured at 'Step 3'.
- Enable 'Wildcard'.
- Select Access Profile: prof_admin.
- Select 'OK' to save.
- Logging in FortiWeb using LDAP user through FortiAuthenticator as RADIUS Server.
- To see logs in the FortiAuthenticator Radius Server.
- Open: http://<FAC_IP/debug/
- Select: RADIUS -> Authentication.
- User Test Authentication Negotiation is visible.
To know about FortiWeb Radius Configuration:
user radius-user
To know about FortiAuthenticator Radius Configuration:
RADIUS service
FortiAuthenticator Debug:
Troubleshooting Tip: How to debug FortiAuthenticator Services
Debug logs
|
