Kindly I have built Forti-Authenticator On AZURE and i successfully authenticate it with My FortiGate Device on site with the below structure
I configured FAC as a radius server and FortiGate device as a radius client ,Actually the authentication done and tested successfully Also I already had authentication between FortiGate and my active directory using FSSO and LDAP method. But I have an urgent request , I did this solution (FAC) for allow users to authenticate from it as a primary Authentication and if FAC down users can authenticate using backup authentication which between the LDAP and FortiGate device
What I found :
the users authenticate first with local authentication which between FortiGate and LDAP FSSO as a primary authentication and authenticate from FAC once i disable the authentication between FortiGate and LDAP
I need to make the primary authentication from FAC and the backup from local LDAP , So if there any priority to allow users to Authenticate first from FAC and if FAC down users can Authenticate with local LDAP
FortiOS does not provide such fail-over capability for remote server-based authentication for users. This would require a new feature request.
With current behaviour, if you specify both RADIUS- (FAC) and LDAP-based groups as allowed for certain access, the FortiGate will query both authentication servers at once and the first positive reply will be used for authentication and authorization.
If you are using FAC for two-factor authentication, then the non-2FA authentication through LDAP will always win this "race". Without 2FA the timing is less certain, but still more likely for plain LDAP to be faster than RADIUS (because it consists of RADIUS + LDAP queries done by FAC itself).
That is correct. There is no mechanism to set strict priority between authentication-servers in FortiOS such that automatically:
1, Only FAC is used when it is reachable
2, LDAP is used as a backup only when FAC is down
You would need to either perform ad-hoc manual config changes to approach this behaviour, or you could perhaps use realms in case of SSL-VPN to use FAC for one realm and LDAP for another, but there is no mechanism to dynamically disable/enable these realms. (either they are both available at the same time, or you manually enable/disable their usage)
For FAC failure resistance, I would suggest a FAC cluster, either AP, or a load-balancing cluster (if you are in a scenario where placing each FAC in a different location and load-balancing requests among them would be beneficial).
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.