Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AEK
SuperUser
SuperUser

Created on ‎12-10-2024 01:02 PM

FortiAuthenticator as intermediate LDAP for Corp LDAP

Hello FAC admins

I'm working on FAC 6.6.2.

I noticed that FAC's local LDAP can be used only for local user DB.

So far I mainly used it as RADIUS server (Corp LDAP as back-end) in order to add MFA.

But now following our new requirement I didn't find a way to use it as LDAP server for accounts that are imported from Corp LDAP.

Is it me or this feature is not available?

 
AEK
AEK
Labels:
355
0 Kudos
2 Solutions
pminarik
Staff
Staff

Created on ‎12-11-2024 01:10 AM

Full-on LDAP proxy feature is not available currently. Your observations are correct. :)

[ corrections always welcome ]

View solution in original post

233
ebilcari
Staff
Staff

Created on ‎12-11-2024 01:13 AM

So basically you need to 'proxy' the LDAP through FAC and apply tokens to the users. I did a quick check internally and this is not currently supported in FAC. You can read more about the FortiAuthProxy that seems to support your request.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

230
8 REPLIES 8
dingjerry_FTNT
Staff
Staff

Created on ‎12-10-2024 02:09 PM

Hi @AEK ,

 

I hope this Youtube video can help you:

 

https://www.youtube.com/watch?v=7KrZjqmcIhc&ab_channel=FullProxyLabs

Regards,

Jerry
342
0 Kudos
AEK
SuperUser
SuperUser
In response to dingjerry_FTNT

Created on ‎12-10-2024 02:18 PM

Hi Jerry

Unfortunately on the video he is configuring FAC's front-end as RADIUS, not LDAP :(

AEK
AEK
335
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to AEK

Created on ‎12-10-2024 02:20 PM

Sorry, AEK, I did not watch it.

Regards,

Jerry
331
0 Kudos
sw2090
SuperUser
SuperUser

Created on ‎12-10-2024 10:59 PM

we do that here by having some task in fac that regularly fetches users from AzureAD if they are in a specific AD group. You need the fetch these in order to be able to apply MFA to the user in FAC :)

FAC then acts as radius server for our FGT and IPSEcs and even some AD things. Works fine with AD Auth as 1FA plus FortiToken as 2FA. 

The only negative thing is that some Fortinet Appliances (like e.g. FAZ) do not support radius user groups which requires me to manually create the users there as radius users.

Fortigates and FOS IPSec xauth do support radius groups though.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
267
0 Kudos
sw2090
SuperUser
SuperUser

Created on ‎12-10-2024 11:00 PM

and AD basically is LDAP too :)

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
264
pminarik
Staff
Staff

Created on ‎12-11-2024 01:10 AM

Full-on LDAP proxy feature is not available currently. Your observations are correct. :)

[ corrections always welcome ]
234
ebilcari
Staff
Staff

Created on ‎12-11-2024 01:13 AM

So basically you need to 'proxy' the LDAP through FAC and apply tokens to the users. I did a quick check internally and this is not currently supported in FAC. You can read more about the FortiAuthProxy that seems to support your request.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
231
AEK
SuperUser
SuperUser

Created on ‎12-11-2024 02:33 AM

Thanks for the confirmation.

I also see FortiAuthProxy is new Fortinet product. First time I hear about. Thanks for the info.

AEK
AEK
217
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.