Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
shree083
New Contributor

RADIUS Depends on LDAP on FortiGate ?

Hello everyone,

This morning we had a situation at the office.
We have a FortiGate 80F at the office.
So here’s what happened: we have VPN configured with MFA through an NPS server in Azure.
There’s a Site-to-Site (S2S) connection between On-Prem and Azure VNET.
This morning, the local Active Directory (AD) server went down, so the VPN couldn’t connect — even though we also have AD in Azure, which is accessible from On-Prem.
But we have the LDAP server configured to use the local AD.

So the question is:
Is the RADIUS server (configured on FortiGate) dependent on the LDAP server that is also configured on FortiGate?

Thank you in advance!

VidMate
2 REPLIES 2
rbraha
Staff
Staff

Hi @shree083 

By default when there is an request toward FGT ,FGT first will check local user database than if user is not found there ,will check whichever server reply first LDAP or Radius server then will proceed to authenticate user. So you have to make sure that not having the same LDAP server locally on FGT also Radius server having the same LDAP server on the other side, or you have to be carefully when selecting user groups in FGT or using realms to match the correct one.

Toshi_Esumi
SuperUser
SuperUser

You said "NPS server in Azure". Therefore I assume FGT's RADIUS server connection needs to reach the NPS over the VPN. Then if tunnel is not up, the FGT can't get to the NPS RADIUS proxy.

Toshi

Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors