2 Solutions
I'm not sure if we have any guide for how the whole sequence works, at least on the docs page.
We do have a configuration example with two-factor authentication (SMS token, but the process for FTK is much the same): https://docs.fortinet.com/document/fortiauthenticator/6.4.0/cookbook/451567/sms-two-factor-authentic...
However, this is with a local user created on FortiAuthenticator, not a user that is on LDAP.
Here is a section on remote authentication servers in FortiAuthenticator (tie-in with remote LDAP/RADIUS):
https://docs.fortinet.com/document/fortiauthenticator/6.0.0/administration-guide/641286/remote-authe...
The study guide for NSE 6 FortiAuthenticator does cover what I discussed above as well, but doesn't provide a simple step-by-step example of what a setup would look like. That is part of the labs in instructor-led FortiAuthenticator training, I believe.
If your questions are about RADIUS protocol in general, the study guide contains a small section on how RADIUS works, but it doesn't go into great depth and presumes at least a bit of familiarity with the protocol.
As for a diagram - a crude one, but I hope it helps you visualize what's going on:
communication between FAC and FGT is RADIUS, and between FAC and remote auth server could be RADIUS, LDAP, etc.
For those remote servers, they would see FAC as client, not FortiGate.
For FortiGate, it would only have the one RADIUS server to speak to.
I'm not sure if we have any guide for how the whole sequence works, at least on the docs page.
We do have a configuration example with two-factor authentication (SMS token, but the process for FTK is much the same): https://docs.fortinet.com/document/fortiauthenticator/6.4.0/cookbook/451567/sms-two-factor-authentic...
However, this is with a local user created on FortiAuthenticator, not a user that is on LDAP.
Here is a section on remote authentication servers in FortiAuthenticator (tie-in with remote LDAP/RADIUS):
https://docs.fortinet.com/document/fortiauthenticator/6.0.0/administration-guide/641286/remote-authe...
The study guide for NSE 6 FortiAuthenticator does cover what I discussed above as well, but doesn't provide a simple step-by-step example of what a setup would look like. That is part of the labs in instructor-led FortiAuthenticator training, I believe.
If your questions are about RADIUS protocol in general, the study guide contains a small section on how RADIUS works, but it doesn't go into great depth and presumes at least a bit of familiarity with the protocol.
As for a diagram - a crude one, but I hope it helps you visualize what's going on:
communication between FAC and FGT is RADIUS, and between FAC and remote auth server could be RADIUS, LDAP, etc.
For those remote servers, they would see FAC as client, not FortiGate.
For FortiGate, it would only have the one RADIUS server to speak to.
