- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FortiAuthenticator requires user defined on Fortig...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiAuthenticator requires user defined on Fortigate as Remote User - surely not correct
The Radius Server is correctly setup on the Fortigate, and can pass both the Connection Status and User Test
It seems that we have missed something to tell the Fortigate that if a user is not found locally, that it should then look at a remote Radius Server (the FortiAuthenticator). If we add the user on the Fortigate and tell the Fortigate that the user is a Radius User, then this works perfectly.
But surely this is not correct. You can't surely need to add potentially 100's of users local and then be adding them on the FortiAuthenticator.
What have I missed. I am sure that it must be a case that if the user is not defined as a local user on the Fortigate, that I can tell it to look for the user on the Radius Server.
All help greatly appreciated
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i had similar case and this was my configuration.
let the communication pass thru Radius, config FortiGate and FAC radius service, then configure FAC to talked to your LDAP server.
under FAC, you need to define Realm, Radius Service Policy and User groups including Radius attributes. Please check also from FAC admin guide how to use with "LDAP filter".
Now under FG you can define group name similar to your FAC user group created.
Fortigate Newbie
Fortigate Newbie
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for that
So on the Fortigate, is the key to this in defining a group name "exactly" the same as the FAC usergroup ? I'm sure we tried this. So there definitely isn't some setting somewhere that needs to be set to tell the Fortigate to forward all unknown locally defined users to the Remote Radius server ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Having users on FortiGate, specified, type radius, would work for a few users, especially if you'd like to provide those with FortiToken 2FA but your remote server is not capable of doing 2FA.
But you mentioned FortiAuthenticator !
So there is definitely no need to have users local on FortiGate, even for 2FA.
Therefore completely remote users IS the right way.
First I would highly suggest to have local users defined on FortiGate kept inside a separate user group from those of remote origin.
And so have separate user group for users from remote server, like RADIUS, where this server is defined as sole/exclusive member of user group on FortiGate (NOT mixed with other users).
Then in simplest way possible all the users matching this remote server (those who will be able to successfully authenticate against that server) will be seen as members of this group.
That should work and is simplest way possible how to get remote users from RADIUS (or other things like LDAP/TACACS+) being group members on FortiGate.
Then you can complicate and narrow the things a bit (and I would recommend to get better control over allowed users).
Either on FortiGate side, by feature called "group match", which allows only specific users from remote server, those bearing Fortinet-Group-Name AVP (for RADIUS) and where this string from Access-Accept match user group definition on FortiGate, being only allowed members of the group.
More on Group match in old, but still valid, KB article:
https://kb.fortinet.com/k...amp;externalId=FD36464
Or by narrowing realm and RADIUS Client policy on FortiAuthenticator side only, also to allow only specific users defined on FortiAuthenticator to pass to RADIUS Client (FortiGate in this role).
OR, best way possible, combine those together, so:
---
1. FortiAuthenticator (FAC hereinafter)
- define where you'll get users from, as those can be local users on FAC, or users learned/synced to FAC from your LDAP via Authentication > User Management > Remote User Sync Rules
- group those users on FAC to local group
- set additional RADIUS attributes (AVPs) per group and set Fortinets' Fortinet-Group-Name to string, that will be inherited by all the local users from this group when they authenticate and propagated into Access-Accept
- set realm
- set RADIUS Client > Policy, to use this realm AND !! do NOT FORGET to edit/set allowed groups and select created group, otherwise users will authenticate against realm but would not inherit anything from group AVPs settings
2. FortiGate (FGT hereinafter)
- set RADIUS Server - point to FAC
- set user group with FAC as only member
- set group match to explicitly same string as you have set in FAC and APV Fortinet-Group-Name
- use that group in policy
- test (even 'diag test auth radius <SERVER-FAC> pap <testuser> <password>' should return group membership learned from RADIUS server via/from Access-Accept / Fortinet-Group-Name )
Use, share, enjoy.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Related Posts
- UniFi Controller SSID with FortiGate Captive... 427 Views
- What are the options for user... 457 Views
- Fortinet FSSO and Cisco ISE pxgrid 176 Views
- FSSO for VPN with connection to... 226 Views
- Multicast Flooding Issue with 100+ Apple... 232 Views
Labels
-
FortiGate
6,416 -
FortiClient
1,279 -
5.2
801 -
5.4
639 -
FortiManager
557 -
6.0
416 -
FortiAnalyzer
407 -
5.6
362 -
FortiSwitch
329 -
FortiAP
322 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
238 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
102 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
81 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
IPsec
61 -
Wireless Controller
56 -
SSL-VPN
52 -
FortiProxy
43 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
37 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
FortiPortal
17 -
VLAN
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
Routing
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
Interface
10 -
VDOM
10 -
FortiWeb v5.0
9 -
BGP
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
Traffic shaping
8 -
Virtual IP
8 -
RADIUS
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
NAT
6 -
IP address management - IPAM
6 -
SSID
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiAuthenticator
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
Security profile
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
Web application firewall profile
3 -
FortiToken Cloud
3 -
Automation
3 -
DoS policy
3 -
FortiTester
3 -
OSPF
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
Intrusion prevention
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.