Hello FAC admins
I'm working on FAC 6.6.2.
I noticed that FAC's local LDAP can be used only for local user DB.
So far I mainly used it as RADIUS server (Corp LDAP as back-end) in order to add MFA.
But now following our new requirement I didn't find a way to use it as LDAP server for accounts that are imported from Corp LDAP.
Is it me or this feature is not available?
Solved! Go to Solution.
Full-on LDAP proxy feature is not available currently. Your observations are correct. :)
So basically you need to 'proxy' the LDAP through FAC and apply tokens to the users. I did a quick check internally and this is not currently supported in FAC. You can read more about the FortiAuthProxy that seems to support your request.
Hi @AEK ,
I hope this Youtube video can help you:
https://www.youtube.com/watch?v=7KrZjqmcIhc&ab_channel=FullProxyLabs
Hi Jerry
Unfortunately on the video he is configuring FAC's front-end as RADIUS, not LDAP :(
Sorry, AEK, I did not watch it.
we do that here by having some task in fac that regularly fetches users from AzureAD if they are in a specific AD group. You need the fetch these in order to be able to apply MFA to the user in FAC :)
FAC then acts as radius server for our FGT and IPSEcs and even some AD things. Works fine with AD Auth as 1FA plus FortiToken as 2FA.
The only negative thing is that some Fortinet Appliances (like e.g. FAZ) do not support radius user groups which requires me to manually create the users there as radius users.
Fortigates and FOS IPSec xauth do support radius groups though.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
and AD basically is LDAP too :)
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Full-on LDAP proxy feature is not available currently. Your observations are correct. :)
So basically you need to 'proxy' the LDAP through FAC and apply tokens to the users. I did a quick check internally and this is not currently supported in FAC. You can read more about the FortiAuthProxy that seems to support your request.
Thanks for the confirmation.
I also see FortiAuthProxy is new Fortinet product. First time I hear about. Thanks for the info.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.