Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
thilinapm
New Contributor

Created on ‎04-15-2022 09:12 PM

Fortiauthenticator ldap auth both dnshostname and samaccountname

Hi,

Is it possible to use both SamAccountName and DnsHostname authenticated against same LDAP server. I cannot get it worked. If I changed the username attribute to dnshostname as below it authenticates with dnshostname but not with samaccountname, how can I get both working so I can authenticate using both computer name and username ?

 

thilinapm_0-1650082179564.png

 

Thanks

 

Thilina

 

Labels:
2196
0 Kudos
1 Solution
Markus_M
Staff
Staff

Created on ‎04-16-2022 03:12 AM

Hi Thilina,

 

you need to create 2 LDAP server entries. Not two entries within one LDAP server.

You can define the "realm" that your users are in, if need be.

You will likely already have two RADIUS policies that refer to your user bases.

- wired users, so a switch as a RADIUS client.

- wireless users - a WLC as a RADIUS client.

 

Best regards,

 

Markus

View solution in original post

2184
9 REPLIES 9
Markus_M
Staff
Staff

Created on ‎04-16-2022 03:00 AM

Hi,

 

No. You cannot do this in one LDAP entry. The entry will ask for the supplied username to be found in the Username Attribute. This is intended as you do not mix computer and username attributes and then put them into a group.

A computer can be used by multiple users.

A user can use multiple computers.

 

To accommodate appropriate settings for the objects, you will need to create two LDAP server entries.

 

Best regards,

 

Markus

2147
0 Kudos
thilinapm
New Contributor
In response to Markus_M

Created on ‎04-16-2022 03:06 AM

Thanks Markus ,

But what if I need to do peap for wired users using computer name authentication and Wireless authentication using User authentication on BYOD devices ? , I cannot get it work because of this limitation.

And I cant create 02 ldap server entries to the same server, it doesnt allow that.

 

Thanks

 

Thilina

2144
0 Kudos
thilinapm
New Contributor
In response to Markus_M

Created on ‎04-16-2022 03:07 AM

And Windows NPS allows to do this easily, cant understand why FAC cant do that.

2143
0 Kudos
Markus_M
Staff
Staff

Created on ‎04-16-2022 03:12 AM

Hi Thilina,

 

you need to create 2 LDAP server entries. Not two entries within one LDAP server.

You can define the "realm" that your users are in, if need be.

You will likely already have two RADIUS policies that refer to your user bases.

- wired users, so a switch as a RADIUS client.

- wireless users - a WLC as a RADIUS client.

 

Best regards,

 

Markus

2185
thilinapm
New Contributor
In response to Markus_M

Created on ‎04-16-2022 03:14 AM

Thanks Markus,

 

I believe you meant another LDAP entry to another DC in same domain, right?

 

Regards

 

Thilina

2141
0 Kudos
Markus_M
Staff
Staff
In response to thilinapm

Created on ‎04-16-2022 03:44 AM

Hello Thilina,

 

Another LDAP entry, but it can be the same domain (try it out!).

The mapping is the important part. One LDAP entry can be used for one LDAP attribute, as samaccountname, the other LDAP entry can map another LDAP attribute as dnshostname.

 

Best regards,

 

Markus

2138
thilinapm
New Contributor
In response to Markus_M

Created on ‎04-16-2022 03:46 AM

Thanks Markus,

 

Will try it out and let you know.

 

Regards

 

Thilina

2137
0 Kudos
thilinapm
New Contributor
In response to Markus_M

Created on ‎04-16-2022 08:37 PM Edited on ‎04-16-2022 09:01 PM

Hi Marcus,

That did the trick. FAC accepted it and all good and working now as expected.

Thanks ....

 

Regards

 

Thilina

2130
0 Kudos
jbackstrom
New Contributor

Created on ‎03-25-2024 03:15 AM

We have run this setup for a while where we have 3 LDAP server entries for samaccountname, UPN and dnshostname pointing to the same AD with different DNS names and IP adresses. However we have had issues where basically only one have been active at once causing issues. Our solution was changing "FortiAuthenticator NetBIOS name" to unique names for every entry along with separate service accounts for each entry. Adding this here to maybe spare some time for someone else.

 

Regards,

Joakim

Joakim Backstrom, Nethouse
Joakim Backstrom, Nethouse
268
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.