FortiAuthenticator as a Radius Server

new2fortinet · ‎03-27-2023

Hello Team,

I need some guidance on FortiAuthenticator.

Let's assume I want to implement FortiAuthenticator as a Radius (and Tacacs) Server only, for a small group of Network Engineers (30 Engineers) and about 3000 devices (switches and firewalls)

Second assumption is to run FortiAuthenticator as a Virtual Appliance, what calculation needs to be done on the amount of users to match a certain type/size ? For example FAC-VM-BASE ( 100 users )

Thanks in advance !

funkylicious · ‎03-27-2023

https://docs.fortinet.com/document/fortiauthenticator/6.4.7/release-notes/917508/maximum-values-for-...

"jack of all trades, master of none"

View solution in original post

akanibek · ‎03-28-2023

Hi, @new2fortinet,

yes, it is. However, you can also specify devices with subnets to fit the licensing count.

Asset

View solution in original post

funkylicious · ‎03-28-2023

FAC is mostly used for 2FA for users via Token or email, for either SSLVPN or SAML.

For large deployments where you only want to do AAA via RADIUS, like the one you described i don't think its best suited, financial wise.

"jack of all trades, master of none"

View solution in original post

funkylicious · ‎03-27-2023

https://docs.fortinet.com/document/fortiauthenticator/6.4.7/release-notes/917508/maximum-values-for-...

"jack of all trades, master of none"

new2fortinet · ‎03-28-2023

Hello Funkylicious,

Many thanks for the calculation table.

Apologies beforehand, but I am not sure if I understand correctly, for example FAC-VM-1000-UG would be 1000 users and based on this I can only have roughly 333 switches/routers or firewalls running Radius authentication ?

In the example of 5000 users, I could only have 1666 devices ?

akanibek · ‎03-28-2023

Hi, @new2fortinet,

yes, it is. However, you can also specify devices with subnets to fit the licensing count.

Asset

new2fortinet · ‎03-28-2023

Many thanks !

The issue I might run into is the price difference between FAC-VM-1000-UG and FAC-VM-10000-UG which I most likely cannot justify for a tacacs/radius server solution.

Same goes for a hardware appliance, the FAC-300F versus FAC-800F which is 3 times the price.

funkylicious · ‎03-28-2023

FAC is mostly used for 2FA for users via Token or email, for either SSLVPN or SAML.

For large deployments where you only want to do AAA via RADIUS, like the one you described i don't think its best suited, financial wise.

"jack of all trades, master of none"

new2fortinet · ‎03-28-2023

Thanks for the feedback, what would you advice to use as Radius/Tacacs server ? Would Free Radius a the way forward ? I like the way how the Fortinet GUI is setup, as that would make it more inline with the Fortigates in the field with the user experience.

new2fortinet · ‎03-30-2023

Hello all,

Many thanks for your responses, I will check for another Radius solution to have the units in the field authenticated against userid/password and AD/LDAP.

FortiAuthenticator as a Radius Server

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website