Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
lpi
New Contributor II

Fortiauthenticator and agent not working with second LDAP server.

Hello,

 

My setup is this one, FACv6.5.3, Fortigate 7.4.1, AD2K19 and agent version 5.

I have a dual AD and LDAP connection with one important remark: Both usernames are the same !!! Strange I know.

 

I'm in fact managing two isolated networks, the FAC is having an interface on both networks. In long term, they will migrate into a single infrastructure but in the meantime I have to deal with that.

 

- FAC interface port1: Network1 : The agent authentication and push are working perfectly. FAC is logging the traffic.

- FAC interface port2: Network2 : The agent authentication and push are not working. No logs.

 

I can see the traffic using wireshark but ...

 

Any idea how to debug this ?

KR

Laurent

6 REPLIES 6
dbu
Staff
Staff

Hello @lpi ,
You can check further debugs by going to https://<FAC IP>/debug/ > Choose "RADIUS Authentication" > Click button "Enter debug" 

Reproduce the issue again and the debug will show more outputs regarding this authentication request. 
Since both LDAP servers have same information is it possible to add them as one by using the option "Use secondary server"  ? 

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
lpi
New Contributor II

Hello, this is not radius auth but in fact I have nothing in the logs.

Debbie_FTNT
Staff
Staff

Hey Laurent,

that's strange, that FortiAuthenticator allows agent and push on one interface, but not the other.

Just to be sure:

- you have enabled the same admin and service access on both interfaces for API? You might need to allow HTTPS admin access as well (it ties into the API used by Agent), in addition to some HTTPS service options

- for push notification this should not be terribly relevant, as push notification would be sent out the default interface (and reply received on that interface) no matter where the client is that triggered push.

- it looks to me as if on port2/Network2 the agent can't initiate user authentication to then trigger push.

- You should have some agent logs under "Program Files\Fortinet\FortiAuthenticator Agent\logs"; these might give more details on the error (such as timeout)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
lpi
New Contributor II

Hello,

- I've added the same services as on the port1.

- Correct push should be sent out based on routing table. What I have seen is that the FAC is trying to reach the DNS on the port2 for push and mobiletoken DNS names.

- Even OTP is not working on that interface, I always get a 401 Unauthorized but no logs on FAC.

 

 

I will check the logs on the client side.

KR

Laurent

lpi
New Contributor II

One remark, I get FGD SMS: unable to resolve server domain name

But I'm not using SMS validation.

lpi
New Contributor II

I've created a new user (copy) with a unique username and moved the mobile token, same issue. 

In fact simple OTP is not working on that port2 interface.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors