Hello,
i purchased a Fortitoken Cloud license and i've been asked to configure MFA for all the user belonging to a radius server group and connecting via remote access with the forticlient.
I haven't found any documentation about how to implement this configuration without using fortiauthenticator, is it possibile?
If configuring a local user i've the option to select the fortitoken cloud license, when configuring the radius server group i'm not prompted for this option, i haven't seen any command neither via CLI.
Do you have any idea?
thank you
Bye
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
As far as I know and read so far, you can do that to the users on a specific LDAP ( not RADIUS ) group, like here : https://docs.fortinet.com/document/fortigate/7.0.0/new-features/80565/synchronizing-ldap-active-dire...
For RADIUS, you can try and import the users as described here on the FGT,
Hello,
yeah, i saw it is possibile with ldap but not with radius.
regarding your link, i'm looking for a method to avoid creating or importing local user, i'd like to user the radius group already configured and link the fortitoken cloud...............but it seems not possibile.
regarding the last sentence, with radius, if i'm not wrong, you still need to manually import all the user, but this is not what i want.
I want to create a new user only on the server and then manually have it pushed on the fortigate for mfa access.
that's also my understanding, that you would need to manually import.
That's the problem, i'm trying to understand if using a fortiauthenticator can solve this issue.
Otherwise we must migrate to Ldap
In FortiAuth, I dont see something similar to what you want to achieve.
Indeed it allows you to add a remote RADIUS server, but I cannot see anywhere how you can import remote users based on a remote RADIUS group and assign them 2FA.
I can see this option only within LDAP/AD :
- https://docs.fortinet.com/document/fortiauthenticator/6.6.0/administration-guide/441267/remote-users - this will import in FAC all the users beloging to a group
- https://docs.fortinet.com/document/fortiauthenticator/6.6.0/administration-guide/215969/remote-user-... - this can create an automation task that will search/add/assign FTM to users
Created on 10-04-2024 04:36 AM Edited on 10-04-2024 04:41 AM
Hey Maerre,
you can sort-of achieve something similar with FortiAuthenticator.
While funkylicious is correct that you cannot IMPORT users from a remote RADIUS into FortiAuthenticator, you can in fact create them (or import from a file). You would have to manually recreate group structures etc in FortiAuthenticator, or rely on the remote RADIUS to provide the appropriate RADIUS attributes in response.
FortiAuthenticator should pass on the attributes it gets in the Access-Accept back to FortiGate or whatever other RADIUS client is trying to authenticate the user.
You can then enable FortiTokenCloud on the remote user, same as if the user was imported from LDAP.
The RADIUS policy will need to be configured with the remote RADIUS server as realm.
EDIT:
I did not see your previous comment about not wanting to create users manually, but import them automatically, apologies.
There is no provision in RADIUS protocol for more than just straight-out user authentication, no queries or structures like with LDAP, so user import via RADIUS isn't really a thing.
IF your remote RADIUS server is capable of SCIM, you could use that to sync over the users as well. Starting in FortiAuthenticator 6.6.1, you can create a remote user sync rule of type SCIM, which allows FortiAuthenticator to receive user information via SCIM and create users based on that. The remote user sync rule would have to be linked to a remote RADIUS server object:
Any user received via this SCIM config would lead to a Remote RADIUS user created in FortiAuthenticator, with FortiTokenCloud enabled, and linked to the remote server as defined in the sync rule (if the user tries to authenticate, credentials should be checked against that particular remote RADIUS server).
Hi @Debbie_FTNT,
what a helpful answer!
Yes, i'd like to do it automatically, so once the user is created on my server it is then replicated automatically on the FAC and assigned a fortitoken cloud license.
As i understand this is easily achievable with Ldap + Fac.
I don't know at the moment if the Radius server is capable of SCIM, if yes, i'll follow your advices.
In this case, after configuring the remote user sync rule of type SCIM, where does the remote RADIUS server object to be linked to the SCIM need to be configured? Under the Radius service tab?
I'll have a call to discuss it with my client in the next days, i'll keep you posted.
Meanwhile thank you for your help!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1640 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.