Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mhanna
New Contributor II

Forti Authenticator Request

Hello ALL,

  Kindly I have built Forti-Authenticator On AZURE and i successfully authenticate it with My FortiGate Device on site with the below structure

I configured FAC as a radius server and FortiGate device as a radius client ,Actually the authentication done and tested successfully Also I already had authentication between FortiGate and my active directory using FSSO and LDAP method. But I have an urgent request , I did this solution (FAC) for allow users to authenticate from it as a primary Authentication and if FAC down users can authenticate using backup authentication which between the LDAP and FortiGate device

What I found :

the users authenticate first with local authentication which between FortiGate and LDAP FSSO as a primary authentication and  authenticate from FAC  once i disable the authentication between FortiGate and LDAP 

I need to make the primary authentication from FAC and the backup from local LDAP , So if there any priority to allow users to Authenticate first from FAC and if FAC down users can Authenticate with local LDAP

Thanks 

4 REPLIES 4
pminarik
Staff
Staff

Hi,

FortiOS does not provide such fail-over capability for remote server-based authentication for users. This would require a new feature request.

 

With current behaviour, if you specify both RADIUS- (FAC) and LDAP-based groups as allowed for certain access, the FortiGate will query both authentication servers at once and the first positive reply will be used for authentication and authorization.

If you are using FAC for two-factor authentication, then the non-2FA authentication through LDAP will always win this "race". Without 2FA the timing is less certain, but still more likely for plain LDAP to be faster than RADIUS (because it consists of RADIUS + LDAP queries done by FAC itself).

[ corrections always welcome ]
mhanna
New Contributor II

Hi,

So that's mean there is no way to allow users to use Forti-Authenticator 2FA firstly as primary authentication and use LDAP authentication with FortiGate as  a backup authentication

pminarik

That is correct. There is no mechanism to set strict priority between authentication-servers in FortiOS such that automatically:

1, Only FAC is used when it is reachable

2, LDAP is used as a backup only when FAC is down

 

You would need to either perform ad-hoc manual config changes to approach this behaviour, or you could perhaps use realms in case of SSL-VPN to use FAC for one realm and LDAP for another, but there is no mechanism to dynamically disable/enable these realms. (either they are both available at the same time, or you manually enable/disable their usage)

 

For FAC failure resistance, I would suggest a FAC cluster, either AP, or a load-balancing cluster (if you are in a scenario where placing each FAC in a different location and load-balancing requests among them would be beneficial).

 

FAC HA documentation link 

[ corrections always welcome ]
Debbie_FTNT

We also have a guide written for SSLVPN authentication, but the principle is the same:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-A-quick-guide-to-FortiGate-SSL-VPN-authent...

-> FortiGate contacts all authentication servers at the same time

-> whichever one returns a successful authentication first is the one FortiGate will go with

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Labels
Top Kudoed Authors