Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
marco_buccella
New Contributor

FortiAuthenticator 5.4.1 [Failed to join Windows AD network]

Hi All,

 

I'm configuring FortiAuthenticator v5.4.1 (Last version) so to able to authenticate my users via Remote Ldap with FortiToken Mobile for SSL VPN and to connect the administrator using Radius to Fortigate,FortiManager... 

 

I was able to use Radius Authentication in the Fortigate in order to connect my administrators to FAC using a Wildcard. 

 

Right now I was checking in monitor mode to confirm that LDAP sync works correctly but I found the following issue

"Failed to join Windows AD network" but I'm able to see the DN and imports users. 

 

 

 

In the Logs I can find only this error message Failed to join Windows AD network and in the LDAP debug field nothing related is show, could be a custom bug? FortiAgent for this case is not relevant in order to sync to the Windows Active Directory, right?  

 

Thanks and regards.

4 REPLIES 4
xsilver_FTNT
Staff
Staff

Hi Marco,

it's most probably caused by 'Windows Active Directory Domain Authentication' data not being correct. This part of config should make FAC to attempt domain join and then use Kerberos for authentications.

It's useful if you are doing WPA2-Enterprise authentication on WLC or AP against FAC which do not have users directly inside but have them synced from AD (and so have no access to their passwords, and WPA auth is EAP/PEAP, so challenge handshake protocol).

For user sync it is not needed to have this 'Windows Active Domain Authentication' enabled, sync uses pure LDAP, so upper part of config is enough.

That's why you see error (AD join failed) but users getting synced (as they use LDAP only).

 

So check credentials of mentioned 'jgarrick' account and make sure he is allowed to join domain and auth other users. If not sure, then at least temporary and for test use some account from Administrators/Domain Admins group.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

marco_buccella

Hi xSilver,

 

Thanks for the reply, I was trying to fix it changing the Directory Domain Authentication field without success, so I decided to start again, installing a new LDAP an Fortiauthenticator again. 

 

After sometimes I fault in the same issue, I'm trying the same thing, authenticate to fortigate device using a remote Ldap group imported in the FAC.  If I test it with a local device in  the FAC with a wildcard group everything works correctly otherwise with LDAP....

 

The FortiAuthenticator agent is not installed because it's not usefull for this type on Infra. 

 

Windows AD Monitor show "not joined, not connected"

 

I attached in this link some debug of Ldap authentication failure,Local User success and some configurations images.

 

 [link]https://mega.nz/#F!JJJnlKBA!PoHb_fArmqGZ_JsThwz69Q[/link]

 

 

xsilver_FTNT

Hi,

original version from your first post seemed to me more consistent.

This new version with hellboy.com doamin , and configs .. 

 

LDAP.JPG

- kerberos realm seems to me incomplete .. if domain is hellboy.com I'd expect HELLBOY.COM (case sensitive) there

- domain would be OK

- FAC netbios is how AD will see it as logged in computer (after successful join of-course)

 

UserGroup.JPG

- if you test LDAP filter is it working ?

- check user properties of your system, but for MS AD I guess first part of filter should be objectClass and not objectCategory

- how about to test with simpler filter like '(objectClass=user)'  or '(memberOf=CN=YourADGroup,CN=Users,DC=hellboy,DC=com)' first ?

- RADIUS Attributes specified can be used to limit group members and also switch admin profile to one named Redes (must be defined on FGT and profile inheritance from AVP has to be set), and I'm not sure how group Redes-radius on FGT looks like. That brought me to FGT settings ..  If your intention is to auth certain admins if they are members in some AD group, then on FGT .. 

- wildcard admin type is usually used (and how to generically set wildcard admin with RADIUS is long time described in KB) - accessprofile is usually set to get overridden (accprofile-override need to be set), and so the one in FGT is sort of default one and so the lowest possible, usually no-access sort of profile.

- UserGroup.JPG shows Fortinet-Access-Profile AVP set to Redes .. for successful assignment that profile has to be present on FGT

- similarly can be used your second AVP Fortinet-Group-Name to allow just users from FAC with that AVP string "Redes" to match into firewall group on FGT (I have already documented RADIUS group match in Fortinet KB)

 

Hints !!:

- Redes-radius group used for admins should not be used anywhere else

- should not contain any local users from FGT

- should not be 'used in all user groups'

- otherwise it will not work for admins for sure

 

So resulting FGT config might be like this (check before copy&paste!)

---

 

config system admin edit "Redes" set remote-auth enable set accprofile "no-access" set vdom "root" set wildcard enable set remote-group "Redes-radius" set accprofile-override enable set radius-vdom-override enable next end

 

config user group edit "Redes-radius" set member "authenticator-radius" config match edit 1 set server-name "authenticator-radius" set group-name "Redes" next end next end

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

heriherwanto
New Contributor III

Did you solved this problem, I have some problem about the FAC NetBIOS name, how we can find the source of this name or how we can create this name?

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors