Seen similar posts in the forums but not my exact scenario - apologies for the long thread post.
We're trying to get this setup for the first time so that VPN Clients (IPSEC) and Admins can BOTH use tokens against FAC... Having
issues though with LDAP users imported into FAC - We imported to groups (VPN users and Admin users) and was able to successfully get administrator authentication using tokens from FAC working to login to Fortigate administration. The problem is that the "VPN users" group could also login as admins (as in we could not separate the two).
When trying to get Forticlient token based and using LDAP users we see in the logs errors about CHAP not being supported and I've read some posts that detail this a little better. I think I have a decent understanding of that... We are ultimately wondering what is best method to import users from AD, assign tokens to them, and have different access levels depending on job function (admins vs VPN users) - RADIUS?
I found a couple of cookbook articles but nothing definitive so any input is appreciated before I contact support.
Note that I did setup a local user on FAC and gave it a token and when FortiClient connects to Fortigate I get prompted for token , input token, but it ultimately fails but the The FAC shows an event that "Authentication with token successful"... The client does not connect and asks for token again... this thing seems very complex so general and more specific advice would be greatly appreciated.
Thanks in advance - I will gladly post back what support says once my entitlement is in place but in the meantime any input is appreciated.. Hopefully this can be a thread that others can use moving forward.
dt
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
We use MFA with FAC on our data center firewalls for both firewall admin and SSL VPN. We accomplished this by creating multiple groups on the FAC and using the Fortinet-group-name RADIUS attribute within the group definition to pass the appropriate group name back to the Fortigate. I had a problem grasping this when we got started as that critical step was not obvious in the documentation
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.