FortiAuthenticator as intermediate LDAP for Corp LDAP

AEK · ‎12-10-2024

Hello FAC admins

I'm working on FAC 6.6.2.

I noticed that FAC's local LDAP can be used only for local user DB.

So far I mainly used it as RADIUS server (Corp LDAP as back-end) in order to add MFA.

But now following our new requirement I didn't find a way to use it as LDAP server for accounts that are imported from Corp LDAP.

Is it me or this feature is not available?

AEK

pminarik · ‎12-11-2024

Full-on LDAP proxy feature is not available currently. Your observations are correct. :)

[ corrections always welcome ]

View solution in original post

ebilcari · ‎12-11-2024

So basically you need to 'proxy' the LDAP through FAC and apply tokens to the users. I did a quick check internally and this is not currently supported in FAC. You can read more about the FortiAuthProxy that seems to support your request.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

dingjerry_FTNT · ‎12-10-2024

Hi @AEK ,

I hope this Youtube video can help you:

https://www.youtube.com/watch?v=7KrZjqmcIhc&ab_channel=FullProxyLabs

Regards,

Jerry

AEK · ‎12-10-2024

Hi Jerry

Unfortunately on the video he is configuring FAC's front-end as RADIUS, not LDAP :(

AEK

dingjerry_FTNT · ‎12-10-2024

Sorry, AEK, I did not watch it.

Regards,

Jerry

sw2090 · ‎12-10-2024

we do that here by having some task in fac that regularly fetches users from AzureAD if they are in a specific AD group. You need the fetch these in order to be able to apply MFA to the user in FAC :)

FAC then acts as radius server for our FGT and IPSEcs and even some AD things. Works fine with AD Auth as 1FA plus FortiToken as 2FA.

The only negative thing is that some Fortinet Appliances (like e.g. FAZ) do not support radius user groups which requires me to manually create the users there as radius users.

Fortigates and FOS IPSec xauth do support radius groups though.

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

sw2090 · ‎12-10-2024

and AD basically is LDAP too :)

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

pminarik · ‎12-11-2024

Full-on LDAP proxy feature is not available currently. Your observations are correct. :)

[ corrections always welcome ]

ebilcari · ‎12-11-2024

So basically you need to 'proxy' the LDAP through FAC and apply tokens to the users. I did a quick check internally and this is not currently supported in FAC. You can read more about the FortiAuthProxy that seems to support your request.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

AEK · ‎12-11-2024

Thanks for the confirmation.

I also see FortiAuthProxy is new Fortinet product. First time I hear about. Thanks for the info.

AEK

FortiAuthenticator as intermediate LDAP for Corp LDAP

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website