Hi all, I'm replacing a Checkpoint with a FortiGate, config migration has gone mostly smoothly. On the previous device, SSLVPN users were authenticated against a RADIUS Server (which itself queried AD) for VPN with MFA, and also against an AD server for group information. My understanding is that both RADIUS and LDAP Auth happened simultaneously on the Checkpoint.
I'm having an issue replicating this on the FortiGate. Opened a case with TAC and I understand that the same users shouldn't be on both RADIUS and LDAP, as the FG will try to authenticate them against everything it can - which has the effect of persons getting onto the VPN without MFA.
I tried using realms to limit the VPN to auth against RADIUS, but with this person's AD group information isn't available for use by the policies.
My current thinking is that I need the RADIUS server to send over group information. Someone suggested using SAML, but I'm not sure if I'll run into a similar issue where group info isn't available, or where the FG will try to auth the vpn logon against SAML and LDAP at the same time.
Does anyone have any thoughts, or has anyone done anything similar? Thanks
Hello ATryingEngineer, Good day!
This is correct that FGT will send auth request to all the remote servers [ldap + radius] and will accept the one that replied with ACCEPT the fastest.
Here is the reference:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-A-quick-guide-to-FortiGate-SSL-VPN-authent...
If FortiGate receives a failed reply from an authentication server, it will still wait for the others to respond in case one of them might return a successful result.
You can configure NPS server/Radius to reply back with group information: https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/710485
What is the challenge with Radius not replying with group information?
Thank you!
Thanks for your feedback. The RADIUS server is being used by other applications, so there is a concern that changing the settings to reply with group information may affect them.
I saw somewhere that SAML can also be implemented, with the IdP connecting to the AD server and passing group information. Can that set up work in this case?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.