• In this case, FortiAuthenticator will be used as a RADIUS Server.
• Windows Server 2016 as LDAP.
• FortiAuthentication connection to LDAP Windows Server 2016 was already completed.
• A new Active Directory user was created, named: 'webuser'.
• Example to configure Remote LDAP Server in FortiAuthenticator.

• FortiAuthenticator Configurations. After configuring the Remote LDAP Server In FortiAuthenticator.

1. Connect FortiAuthenticator to FortiWeb.

• Go to Authentication -> RADIUS Service -> Client and select 'Create New'.

• Complete with FortiWeb Information: Name, IP, Secret.

2.  Import Remote LDAP user.

•  Go to User Management -> Remote Users -> Import.

• Select the Remote LDAP Server configured in FortiAuthenticator.
• Action: Import users / Import.
•  Select users to Import to FortiAuthenticator and FortiWeb. In this example, the user to test is: 'webuser'.

3. Create User Group.

• Go to User Management -> User Group and select 'Create New'.
• Set Group Name.
• Select Type: Remote LDAP.
• Select Option: Set a list of imported remote LDAP users.
• Select the Remote LDAP Server.
• Select 'webuser' from the user list.
•  Save,

4. Create Realm.

• Go to Authentication -> User Management -> Realms.
• Create New.
• Set Real Name.
• Set User Source / Select Remote LDAP created.
• Save.

5.  Create RADIUS Policy.

• Go to Authentication -> RADIUS Service -> Policies and select 'Create New'.

 RADIUS clients:

• Set Policy name.
• Select FortiWeb Client, configure, move to the right, and select 'Next'.

• RADIUS attribute criteria, keep default values and select 'Next'.

• Authentication type, keep default values and select 'Next'.

Identity sources:

• Select Realm created to Active Directory LDAP.
• Select Filter.

• Enable Filter and Select Fortiweb User Group created and select 'Next'.

• Authentication factors, keep default values and select 'Next'.

• Radius response, keep default values, select 'Save' and exit

FortiWeb Configurations.

1. To configure the Remote RADIUS Server

• Go to User -> Remote Server ->  RADIUS Server and select 'Create New'.
• Complete with RADIUS information: Remote RADIUS IP, RADIUS port, Server Secret.
• By Default select: Authentication Scheme: DEFAULT.

2.  it is also possible to configure using FortiWeb CLI.

config user radius-user
    edit "RADIUS" <----- Any RADIUS name.
        set server 172.16.16.9 <----- Remote the RADIUS IP.
        set secret <RADIUS_password> <----- Same password used in FortiAuthenticator configuration.
    next
end

3. To do a PCAP Capture.

• Go to Network -> Packet Capture and select 'Create New'.

•  Interface: Any
•  Filter: host 172.16.16.9 <----- RADIUS Server.

•  Select: 'Not Running' to start capture.

4.  While capture is running:

• Go to User -> Remote Server and select 'RADIUS Server'.
• Select Test RADIUS.
• Configure 'username' and 'user password' to test the connection to RADIUS.
• Select: 'OK'.

5.  Stop PCAP Capture.

• Go to Network -> Packet Capture.
• Select: Stop Capturing.
• Download the PCAP Capture.

6.  Use Wireshark to filter user connection and to check what is happening with the Test User connection. In this example the connection was 'successfully'. So in Wireshark,the RADIUS log is visible:

7. To see logs in the FortiAuthenticator Radius Server.

• Open: http://<FAC_IP/debug/
•  Select: RADIUS / Authentication.
• User Test Authentication Negotiation is visible.

To know about FortiWeb Radius Configuration:

user radius-user

To know about FortiAuthenticator Radius Configuration:

RADIUS service

FortiAuthenticator Debug:

Troubleshooting Tip: How to debug FortiAuthenticator Services

Debug logs