Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Forticlient RADIUS server authentication - use...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Forticlient RADIUS server authentication - user groups
Kind of a strange question:
I have two RADIUS servers, and two different user groups defined - one per RADIUS server.
I'm wondering if there's a way to prioritize authenticating against one RADIUS server over the other.
So, we have a user connect via Forticlient, and authenticate against RADIUS Server1, which puts him/her in Group1. If Server1 is down, then it would authenticate against the Server2 and put the user in a differnt group.
I thought I could achieve the desired result via the policies - put the user group from Server1 in a policy above a policy that refers to the user group from Server2, but it seems like authentication is happening round-robin across the RADIUS servers, so it's impossible to predict which server will authenticate.
Any ideas how to prefer one over the other?
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What's listed in the user_group is the order IIRC, but outside of placing the two nodes behind VIP , and priority weight-lb or "sloppy" . I do not see how you can prioritize if your looking for SERVER1 and then SERVER2 & only if #1 is not available.
Qs:
Why do you want two different groups tho? Are you looking for a failover or load-share/balance on the two RADIUS-SERVERS?
FWIW: check out this new post on my blog with using RADIUS-aaS and the example of a failover approach with FGT. I did this in the pass and even with a a group of "group-of-servers"
http://socpuppet.blogspot.com/2017/03/using-jump-cloud-radius-for-fortimail.html
We 've use a INSIDE VIP & mapped to 2 or more RADIUS servers(nodes). Under your config real server, you will have to set weight if you wanted to nail all connections to a server x.x.x.x over y.y.y.y.
e.g
VIP
set ldb-method weighted
realserver
NODE_A
set weight 1000
NODE_B
set weight 0
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ken:
Interesting about the VIPs.
I guess I don't need two groups, here's what I'm trying to get:
RADIUS server1 is a MS MFA server that relays RADIUS requests to a MS NPS server. This works great, I can authenticate and define different Fortigate user groups based on AD groups using the Fortinet specific RADIUS attribute. So if it's up and working, I want users to authenticate to RADIUS server1.
However, if it's down, I want users to fail to the 2nd RADIUS server, which is just a MS NPS server with NO MFA.
Essentially, I would like the Forticlient users to authenticate via MFA if possible, but if the server is having issues to "fail open" by then authenticating against a non-MFA RADIUS box.
thanks,
Jim
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you place the 2x RADIUS behind a SLB and weight all radius request and act to server1. If server#1 goes down ( fails health checks ) , authenticate via server#2.?
ideal you should try to get MFA for both servers.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good idea, I guess i could use a load balancer, but I would hate to add yet another device to the authentication process.
I do already have 2xMFA servers that relay authentication to 2xNPS servers. My thinking is if there is something wrong with the MFA service across both servers, that the authentication would fail to other RADIUS servers (non-MFA), so that it would "fail open."
That makes me wonder how authentication is handled when connecting by Forticlient. Do you authenticate to ONE of the multiple RADIUS servers, or all of them? I think I'll need to get some packet captures going, and dig through some logs to find out.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In my setup we are behind a A10 AX , so we have a priority assigned to the server and service. We only fail to our 2nd RADIUS instance if the primary goes down. So it's using a ADC as a "failover" vrs a load-share. F5 and serverIron all have something similar and in forties the weight should accomplish that.
In this case, we have all controls, logging, audit trails, at the primary and only see the secondary if it ever becomes priority.
If you don't mind what are you using for MFA? We are using EntrustIdGuard in my day job but for f5 baggage-clients. I've also used googauthen but again with non forticlient items.
In that jump cloud blog, I ran a few sites in that same fashion and did a few POC using the 2x radius instance with a high degree of success. It worked flawlessly.
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ken:
We are using Microsoft's Multi-Factor Authentication server running on Windows 2012 r2.
That provides the MFA feature (along with the 'authenticator' app phones).
Those servers relay the authentication requests to a Microsoft NPS server (Win2k12r2), which is where we have different Network Connection policies for different AD groups. The NPS server then sends back the group membership via a Fortinet-specific RADIUS attribute to the MFA server, which relays it back to the Fortigate.
Seems like a lot of moving pieces, but it works well.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good Morning,
I see where there is reference to a Fortinet vendor specific attribute being set on the NPS server. Is there a document for this configuration. I have been trying for days to get the fortigate > MFA > NPS to work with forticlient but have been unsuccessful.
I get the primary authentication to the mobile device but then it fails with wrong credentials.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think this is what I used to get mine working. I may be able to pull some screenshots from my environment later today.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Jim, This looks great. Much appreciated.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,619 -
FortiClient
1,741 -
5.2
801 -
FortiManager
720 -
5.4
639 -
FortiAnalyzer
552 -
FortiSwitch
470 -
FortiAP
464 -
FortiClient EMS
421 -
6.0
416 -
5.6
362 -
FortiMail
315 -
6.2
251 -
SSL-VPN
236 -
FortiAuthenticator v5.5
234 -
Fortiweb
205 -
IPsec
203 -
5.0
196 -
FortiNAC
186 -
FortiGuard
139 -
6.4
128 -
SD-WAN
113 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiAuthenticator
95 -
FortiToken
89 -
Customer Service
79 -
Firewall policy
78 -
Wireless Controller
77 -
4.0MR3
64 -
FortiProxy
59 -
High Availability
56 -
Fortivoice
53 -
FortiADC
53 -
FortiEDR
51 -
vlan
51 -
ZTNA
48 -
FortiExtender
45 -
FortiSandbox
44 -
Routing
44 -
FortiDNS
42 -
DNS
42 -
LDAP
41 -
BGP
40 -
Authentication
37 -
SAML
36 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
NAT
34 -
Certificate
34 -
RADIUS
32 -
SSO
31 -
Interface
31 -
FortiLink
29 -
FortiConnect
28 -
FortiWAN
27 -
VDOM
27 -
Web profile
26 -
FortiConverter
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Automation
14 -
Static route
14 -
System settings
14 -
IP address management - IPAM
14 -
snmp
13 -
FortiCASB
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
FortiManager v4.0
10 -
IPS signature
10 -
Security profile
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
Proxy policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiGate-VM
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
TACACS
2 -
Schedule
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1688 | |
| 1087 | |
| 752 | |
| 446 | |
| 227 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.