- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiAuthenticator and RHEL Server Integration for MFA and authenticate to AD Users
Hello Anyone and Experts,
Could you please help me and advise me anything about integration between FortiAuthenticator and RHEL Server integraton for MFA to AD Users?
Actually I follow below article for linux integration but it does not working.
FortiAuthenticator version: 6.6.2
RHEL OS version: 9.4
Thanks,
Leo
- Labels:
-
FortiAuthenticator
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Leo
What do you see in FAC's authentication logs?
Also, a good idea is to try first doing without MFA and once it work then add MFA.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi AEK,
Thanks for your reply there is I can ping to my FortiAuthenticator but cannot see any radius request is coming from RHEL Server.
I think that RHEL has some restrictions and I have no idea how can I resolve this.
Could you please advise?
Thanks,
Leo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Leo
- Is there a firewall between your RHEL and FAC? If so the check if the RADIUS traffic is allowed, and check if the firewall can actually see this traffic
- Check if RHEL's firewall is blocking the RADIUS traffic
- Use tcpdump on your RHEL to see if the RADIUS requests are actually being sent from your RHEL. Also check if they are sent from the right server port and with the right source IP and destination IP
Once you share the result we may help further.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello AEK,
Yes there have FortiGate firewall between RHEL and FortiAuthenticator,
There is we didn't see any radius traffic is hitting to firewall from RHEL server that assume that RHEL itself cannot send radius traffic to outside.
That's why I have no idea how can I check for any require permission on that.
Thanks,
Leo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Then do you see the traffic is sent when you run "tcpdump -i any port 1812" on the RHEL server? If yes then do you see it sent from the right server port and with the right source IP?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello AEK,
There is I saw eth0 Out IP ip-10-xx-xx-xx.abc.com.58544 > 10.xx.xx.xx.radius: [|radius]
There is correct source ip and destination ip but I don't know what is 58544 and it is dynamic port or what I am not sure.
Thanks,
Leo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Port 58544 is a dynamic port because it is client port.
The RADIUS query seems to be generated correctly on the server.
On RHEL server try check if the local firewall (firewalld) is allowing the RADIUS packet to leave the server.
Also try double-check if the RADIUS query is reaching your firewall, using "diag sniffer" command.
