Hi xSilver,

Thanks for the reply, I was trying to fix it changing the Directory Domain Authentication field without success, so I decided to start again, installing a new LDAP an Fortiauthenticator again. 

After sometimes I fault in the same issue, I'm trying the same thing, authenticate to fortigate device using a remote Ldap group imported in the FAC.  If I test it with a local device in  the FAC with a wildcard group everything works correctly otherwise with LDAP....

The FortiAuthenticator agent is not installed because it's not usefull for this type on Infra. 

Windows AD Monitor show "not joined, not connected"

I attached in this link some debug of Ldap authentication failure,Local User success and some configurations images.

 [link]https://mega.nz/#F!JJJnlKBA!PoHb_fArmqGZ_JsThwz69Q[/link]

Hi,

original version from your first post seemed to me more consistent.

This new version with hellboy.com doamin , and configs .. 

LDAP.JPG

- kerberos realm seems to me incomplete .. if domain is hellboy.com I'd expect HELLBOY.COM (case sensitive) there

- domain would be OK

- FAC netbios is how AD will see it as logged in computer (after successful join of-course)

UserGroup.JPG

- if you test LDAP filter is it working ?

- check user properties of your system, but for MS AD I guess first part of filter should be objectClass and not objectCategory

- how about to test with simpler filter like '(objectClass=user)'  or '(memberOf=CN=YourADGroup,CN=Users,DC=hellboy,DC=com)' first ?

- RADIUS Attributes specified can be used to limit group members and also switch admin profile to one named Redes (must be defined on FGT and profile inheritance from AVP has to be set), and I'm not sure how group Redes-radius on FGT looks like. That brought me to FGT settings ..  If your intention is to auth certain admins if they are members in some AD group, then on FGT .. 

- wildcard admin type is usually used (and how to generically set wildcard admin with RADIUS is long time described in KB) - accessprofile is usually set to get overridden (accprofile-override need to be set), and so the one in FGT is sort of default one and so the lowest possible, usually no-access sort of profile.

- UserGroup.JPG shows Fortinet-Access-Profile AVP set to Redes .. for successful assignment that profile has to be present on FGT

- similarly can be used your second AVP Fortinet-Group-Name to allow just users from FAC with that AVP string "Redes" to match into firewall group on FGT (I have already documented RADIUS group match in Fortinet KB)

Hints !!:

- Redes-radius group used for admins should not be used anywhere else

- should not contain any local users from FGT

- should not be 'used in all user groups'

- otherwise it will not work for admins for sure

So resulting FGT config might be like this (check before copy&paste!)

---

config system admin edit "Redes" set remote-auth enable set accprofile "no-access" set vdom "root" set wildcard enable set remote-group "Redes-radius" set accprofile-override enable set radius-vdom-override enable next end

config user group edit "Redes-radius" set member "authenticator-radius" config match edit 1 set server-name "authenticator-radius" set group-name "Redes" next end next end