Hello dear Community,
i would like to configure 2FA-Authentication via Fortimanager and FortiAuthenticator. We have a fortigate 200F in use.
This Technical Tip was very helpful for us:
Technical Tip: Radius authentication with FortiAut... - Fortinet Community
My first question is:
The SSLVPN should be configured for 80 partners. Is there a possibility that I don't have to create manual groups 80 times so I can assign them a portal? Or do I have to create 80 groups and 80 portals with different bookmarks? Is it possible that I can only configure one portal and still assign different bookmarks to the partner?
My second question:
I usually create the UserGroups for the LDAP users on the Fortiauthenticator and then I configure them on the Fortigate so that they can authenticate via Radius & 2FA. Is there a possibility that I can only perform the configuration via the FortiManager, so I do not have to configure on two devices? Can I use the Fortimanager to create the ldap user groups for radius authentication and then assign them to an SSLVPN portal?
Best regards!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello dear @Debbie_FTNT ,
thank you very much for the quick response and for your support! I really appreciate it.
Regarding my question 1:
I mentioned that there are 80 partners, but these 80 partners have 200 users in total. If I understood it correctly, then I would have to edit 200User at CLI level, right?
Regarding my question 2:
Just to be sure, so I have to configure both devices. Once the Fortiauthenticator and once the Fortigate/FortiManager, right?
Thank you and best regards!!
Hey OFP,
- question 1: yes, you would have to edit 200 user on the CLI level if each of those users has an individual login.
- question 2: correct, you have to configure both devices, FortiAuthenticator and either FortiManager or FortiGate.
Hey OFP,
regarding your first question, there are user-defined bookmarks (user-specific bookmarks, even if the users are in the same group); these are NOT defined under the portal specifically, but under 'config vpn ssl web user-bookmark'
-> those entries are generated automatically when a user connects to web portal VPN for the first time, but can also be created manually
-> they follow the format 'user#group'
For example:
show vpn ssl web user-bookmark
edit "user2#SAML-FAC"
config bookmarks
edit "1"
set apptype rdp
set host "10.0.0.1"
set port 3389
next
end
next
end
-> that bookmark is for user2, and they log in via group 'SAML-FAC'.
This is not something that can be really created via GUI in FortiGate.
In FortiManager, you could create the user-specific bookmarks via Device Manager > CLI-only options, or maybe via VPN Manager, but I'm not certain about the VPN Manager. It is NOT an ADOM-level object, so not something you can configure in Policies&Objects
Regarding your second question, you can certainly create the RADIUS server entry and user group on FortiManager that should be pushed to FortiGate, but you can't push configuration from FortiManager to FortiAuthenitcator. You will have to configure FortiAuthenticator and then either FortiGate (and sync to FortiManager) or FortiManager (and install to FortiGate).
I hope that helps!
Hello dear @Debbie_FTNT ,
thank you very much for the quick response and for your support! I really appreciate it.
Regarding my question 1:
I mentioned that there are 80 partners, but these 80 partners have 200 users in total. If I understood it correctly, then I would have to edit 200User at CLI level, right?
Regarding my question 2:
Just to be sure, so I have to configure both devices. Once the Fortiauthenticator and once the Fortigate/FortiManager, right?
Thank you and best regards!!
Hey OFP,
- question 1: yes, you would have to edit 200 user on the CLI level if each of those users has an individual login.
- question 2: correct, you have to configure both devices, FortiAuthenticator and either FortiManager or FortiGate.
Hey @Debbie_FTNT ,
is there a way to automatically import the radius users to the fortigates? I only know the way that you can create manual radius users. However, I would like to import all users from the FortiAuthenticator to the Fortigate.
Hey OFP,
no, sorry, FortiGate doesn't have an import function for the users.
You do not technically have to import the users to create the bookmark entries, though - you just need to know what name they will log in with, and what group they belong to.
To import the users in bulk, you could, in theory, also export the users from FortiAuthenticator (that will give you a csv file with username, encrypted password, and a few other details) and write a script to create users in FortiGate via CLI.
That would definitely exceed my meager scripting experience, but if you are more versed in that sort of thing, go for it :)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1709 | |
1093 | |
752 | |
446 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.