Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
new2fortinet
New Contributor

FortiAuthenticator as a Radius Server

Hello Team,

 

I need some guidance on FortiAuthenticator.

Let's assume I want to implement FortiAuthenticator as a Radius (and Tacacs) Server only, for a small group of Network Engineers (30 Engineers) and about 3000 devices (switches and firewalls)

Second assumption is to run FortiAuthenticator as a Virtual Appliance, what calculation needs to be done on the amount of users to match a certain type/size ? For example FAC-VM-BASE ( 100 users )

 

Thanks in advance !

3 Solutions
funkylicious
Contributor III

geek
akanibek

Hi, @new2fortinet,

yes, it is. However, you can also specify devices with subnets to fit the licensing count.

Asset

View solution in original post

funkylicious

FAC is mostly used for 2FA for users via Token or email, for either SSLVPN or SAML.

For large deployments where you only want to do AAA via RADIUS, like the one you described i don't think its best suited, financial wise.

geek

View solution in original post

geek
7 REPLIES 7
funkylicious
Contributor III

geek
new2fortinet
New Contributor

Hello Funkylicious,

 

Many thanks for the calculation table.

Apologies beforehand, but I am not sure if I understand correctly, for example FAC-VM-1000-UG would be 1000 users and based on this I can only have roughly 333 switches/routers or firewalls running Radius authentication ?

In the example of 5000 users, I could only have 1666 devices ? 

akanibek

Hi, @new2fortinet,

yes, it is. However, you can also specify devices with subnets to fit the licensing count.

Asset
new2fortinet

Many thanks !

The issue I might run into is the price difference between FAC-VM-1000-UG and FAC-VM-10000-UG which I most likely cannot justify for a tacacs/radius server solution.

Same goes for a hardware appliance, the FAC-300F versus FAC-800F which is 3 times the price.

 

funkylicious

FAC is mostly used for 2FA for users via Token or email, for either SSLVPN or SAML.

For large deployments where you only want to do AAA via RADIUS, like the one you described i don't think its best suited, financial wise.

geek
geek
new2fortinet

Thanks for the feedback, what would you advice to use as Radius/Tacacs server ? Would Free Radius a the way forward ? I like the way how the Fortinet GUI is setup, as that would make it more inline with the Fortigates in the field with the user experience.

new2fortinet
New Contributor

Hello all,

Many thanks for your responses, I will check for another Radius solution to have the units in the field authenticated against userid/password and AD/LDAP.

Labels
Top Kudoed Authors