Hello,

yeah, i saw it is possibile with ldap but not with radius.

regarding your link, i'm looking for  a method to avoid creating or importing local user, i'd like to user the radius group already configured and link the fortitoken cloud...............but it seems not possibile.

@funkylicious,

regarding the last sentence, with radius, if i'm not wrong, you still need to manually import all the user, but this is not what i want.

I want to create a new user only on the server and then manually have it pushed on the fortigate for mfa access.

that's also my understanding, that you would need to manually import.

That's the problem, i'm trying to understand if using a fortiauthenticator can solve this issue.

Otherwise we must migrate to Ldap

In FortiAuth, I dont see something similar to what you want to achieve.

Indeed it allows you to add a remote RADIUS server, but I cannot see anywhere how you can import remote users based on a remote RADIUS group and assign them 2FA.

I can see this option only within LDAP/AD :
- https://docs.fortinet.com/document/fortiauthenticator/6.6.0/administration-guide/441267/remote-users - this will import in FAC all the users beloging to a group

- https://docs.fortinet.com/document/fortiauthenticator/6.6.0/administration-guide/215969/remote-user-... - this can create an automation task that will search/add/assign FTM to users

Hey Maerre,

you can sort-of achieve something similar with FortiAuthenticator.

While funkylicious is correct that you cannot IMPORT users from a remote RADIUS into FortiAuthenticator, you can in fact create them (or import from a file). You would have to manually recreate group structures etc in FortiAuthenticator, or rely on the remote RADIUS to provide the appropriate RADIUS attributes in response.

FortiAuthenticator should pass on the attributes it gets in the Access-Accept back to FortiGate or whatever other RADIUS client is trying to authenticate the user.

You can then enable FortiTokenCloud on the remote user, same as if the user was imported from LDAP.
The RADIUS policy will need to be configured with the remote RADIUS server as realm.

EDIT:
I did not see your previous comment about not wanting to create users manually, but import them automatically, apologies.

There is no provision in RADIUS protocol for more than just straight-out user authentication, no queries or structures like with LDAP, so user import via RADIUS isn't really a thing.

IF your remote RADIUS server is capable of SCIM, you could use that to sync over the users as well. Starting in FortiAuthenticator 6.6.1, you can create a remote user sync rule of type SCIM, which allows FortiAuthenticator to receive user information via SCIM and create users based on that. The remote user sync rule would have to be linked to a remote RADIUS server object:

Any user received via this SCIM config would lead to a Remote RADIUS user created in FortiAuthenticator, with FortiTokenCloud enabled, and linked to the remote server as defined in the sync rule (if the user tries to authenticate, credentials should be checked against that particular remote RADIUS server).

Hi @Debbie_FTNT,

what a helpful answer!

Yes, i'd like to do it automatically, so once the user is created on my server it is then replicated automatically on the FAC and assigned a fortitoken cloud license.

As i understand this is easily achievable with Ldap + Fac.

I don't know at the moment if the Radius server is capable of SCIM, if yes, i'll follow your advices.

In this case, after configuring the remote user sync rule of type SCIM, where does the remote RADIUS server object to be linked to the SCIM need to be configured? Under the Radius service tab?
I'll have a call to discuss it with my client in the next days, i'll keep you posted.

Meanwhile thank you for your help!