Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Leoaungthu
New Contributor II

FortiAuthenticator and RHEL Server Integration for MFA and authenticate to AD Users

Hello Anyone and Experts,

 

Could you please help me and advise me anything about integration between FortiAuthenticator and RHEL Server integraton for MFA to AD Users?

Actually I follow below article for linux integration but it does not working.

https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-Integrating-Linux-login-with-Fort...

 

FortiAuthenticator version: 6.6.2

RHEL OS version: 9.4

 

Thanks,

Leo

7 REPLIES 7
AEK
SuperUser
SuperUser

Hi Leo

What do you see in FAC's authentication logs?

Also, a good idea is to try first doing without MFA and once it work then add MFA.

AEK
AEK
Leoaungthu
New Contributor II

Hi AEK,

 

Thanks for your reply there is I can ping to my FortiAuthenticator but cannot see any radius request is coming from RHEL Server.

I think that RHEL has some restrictions and I have no idea how can I resolve this.

Could you please advise?

 

Thanks,

Leo

AEK

Hi Leo

  • Is there a firewall between your RHEL and FAC? If so the check if the RADIUS traffic is allowed, and check if the firewall can actually see this traffic
  • Check if RHEL's firewall is blocking the RADIUS traffic
  • Use tcpdump on your RHEL to see if the RADIUS requests are actually being sent from your RHEL. Also check if they are sent from the right server port and with the right source IP and destination IP

Once you share the result we may help further.

AEK
AEK
Leoaungthu
New Contributor II

Hello AEK,

 

Yes there have FortiGate firewall between RHEL and FortiAuthenticator,

There is we didn't see any radius traffic is hitting to firewall from RHEL server that assume that RHEL itself cannot send radius traffic to outside.

That's why I have no idea how can I check for any require permission on that.

 

Thanks,

Leo 

AEK

Then do you see the traffic is sent when you run "tcpdump -i any port 1812" on the RHEL server? If yes then do you see it sent from the right server port and with the right source IP?

AEK
AEK
Leoaungthu
New Contributor II

Hello AEK,

 

There is I saw eth0  Out IP ip-10-xx-xx-xx.abc.com.58544 > 10.xx.xx.xx.radius: [|radius]

There is correct source ip and destination ip but I don't know what is 58544 and it is dynamic port or what I am not sure.

 

Thanks,

Leo

AEK

Port 58544 is a dynamic port because it is client port.

The RADIUS query seems to be generated correctly on the server.

On RHEL server try check if the local firewall (firewalld) is allowing the RADIUS packet to leave the server.

Also try double-check if the RADIUS query is reaching your firewall, using "diag sniffer" command.

 
AEK
AEK
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors