Hello all,
Currently we are using FortiAuthenticator for FortiToken mfa for ssl vpn, user authentication for ssl vpn, 802.1x authentication for pcs, mac authentication for printers, phones, and other IOT devices, radius authentication for admin users for networking devices, and authentication for corporate wireless. We have a pair of FortiAuthenticator VMs configured as an HA pair in cluster mode in our HQ location. We are trying to figure out what best practices would be for configuration in a Disaster Recovery location. Any insight would be greatly appreciated.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello sroman1,
it depends on what do you expect from DR to do and how complex it supposed to be.
I would expect fully transparent fallbacks without any noticeable impact for end users.
Most of the authentications you mentioned are client-server stateless things, like RADIUS Access-Request followed by Access-Accept (in OK scenario).
Therefore I do not see any reason to sync any dynamic states on FAC besides the user base, and so related config parts. Dynamic states are caught and maintained as auth sessions on devices like FortiGate. Not on FAC, except some SSO, which was not mentioned as it seems to me.
Therefore I would simply extend existing FAC HA A-P cluster with load balanced slaves.
Those LB slaves are A-A cluster, single units as there is no support to chain A-P cluster to another A-P cluster in FAC.
LB slave sync mainly just user base and related data. More details on what is synced can be seen from FAC config, as it actually shows synced status for each data category, or it is in documentation (admin guide on https://docs.fortinet.com ). Otherwise it is standalone unit. And you can hook up to 10 of those LB slaves to a LB master (which could be standalone unit or A-P cluster {your case}).
So if, for example, your FortiGate's RADIUS server config would use master from HQ FAC cluster as primary server, and LB slave FAC as secondary inside same server config, then you will have automatic redundancy in case none of primary cluster FAC servers is accessible, and fall back to LB slave.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Hey sroman,
if you want to dig into setting up a load-balancing node with your A-P pair as primary, we have a KB for this: https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-How-to-configure-FortiAuthenticat...
Let us know if you have any questions :)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.