Hello, We recently purchased some Fortigates (based on pre-sales advice), having a requirement that user authentication on an SSL portal could be configured to use LDAP AND RADIUS (not OR). i.e. on logon to the portal, the user needs to enter both LDAP and RADIUS credentials. I have got both LDAP and RADIUS to work individually, however cannot see how to force both. Fortinet support has told me I now need to purchase a FortiAuthenticator if I want to do this. Has anyone managed to do this or do I really need the additional kit ? Kind regards,
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I just guess that you are talking about something usually called 'chained authentication'.
So situation where user's name and password is verified against LDAP and then 2FA token verified against RADIUS.
AFAIK you can have LDAP based users with 2FA token on FortiGate, but user account is created on FortiGate, just pointing to LDAP, and token is also FortiToken, configured on FortiGate.
Keep in mind that FortiGate's primary role is firewall. Not NPS (Network Policy Server)!
If you need chained authentication towards 3rd party LDAP and another 3rd party RADIUS (two different servers), like users in LDAP and tokens in RSA, then this is supported on FortiAuthenticator, only.
Do you really have two separate servers for authentication ?
Could you consolidate them somehow or change auth schema?
(Like use FortiTokens on FortiGate directly for LDAP users, without RADIUS, or if mentioned RADIUS is MSFT NPS then this could be used over RADIUS but de-facto authenticating users against AD back-end.)
There is always multiple ways how to set it up, all depends on what you have, need, and is able to change.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Many thanks Tomas,
Yes the chained authentication is just what I need (as it was in the original design).
Unfortunately the authentication servers cannot be separated as the LDAP servers are local to the country, and will determine which portal the user will see, while the RADIUS servers are located elsewhere i.e. in other countries.
You did however give me some food for thought about alternate approaches so I will do some more thinking.
Thanks again for the input.
Kind regards, Steve.
FYI - This form of chained authentication is possible on FortiOS 5.0.x without the need for a FortiAuthenticator. We have on specific customer whom needs this auth method for compliance but does not want to purchase a FortiAuth so we delegate authentication to occur on a segmented (non-internet facing) 200D running 5.0.13.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1660 | |
1072 | |
751 | |
443 | |
219 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.