Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

View on Fortiauthenticator?

Hello I'm looking for feedback on people that use the authenticator product. (How do ya like it? Any quirks? Is it as advertised? is it worth the money?)

Basically right now I see on paper that it can fill a few rolls we're looking to make our lives easier in.

  1. We pay for DUO already and the on paper cost isn't that much more given the additional it could do. (Use it for 3rd party on the SSLVPN)

  2. Replace our aged ACS system for TACACS+

  3. Possible replacement for NPS server.

  4. Simplifying the NPS setup by not having to create a DB for the NPS logs etc.

  5. Bonus points for additional MFA on various resources.

Also i'm under the impression that it will stop working out right if you choose not to renew the license.

Last did you buy two or more licenses for fail over or work out another system of redundancy?

Thanks for help.


Hey zebansho,

I can't really reply from the perspective of a customer (so I'm not going to say anything on quirks/advertisements/worth its money), but I have dealt extensively with FortiAuthenticator, and I can answer at least a few questions.

In particular:

- if you purchase a VM licence (instead of a hardware model), that licence is perpetual, it does not expire

-> support coverage can expire, and the SMS subscription you can purchase

-> other licences (additional user count, FSSO Mobility Agent/FortiClient integration, mobile Token licences) do not expire

- an HA setup does require two licences or hardware models to function properly in my experience

-> if you have different licenced user count on the units, the cluster will only work with the smaller user count

-> FSSO Mobility Agent/FortiClient licence also needs to be purchased individually for each unit

-> FortiTokens do NOT need to be purchased for each unit, these are synced between the cluster nodes


Regarding the features you listed:

- it can act as a RADIUS server (for VPN/captive portal/Wifi/etc authentication)

-> it can essentially forward the RADIUS authentication request to LDAP to verify user credentials, no need to have users locally on FortiAuthenticator (unless tokens should be assigned, then users need to be created locally or imported from LDAP)

- it can act as TACACS+ server, but NOT as TACACS+ client (no admin login with credentials verified against an external TACACS+ server)

- there are two free agents it can integrate with, the Windows Agent and OWA Agent, to provide two-factor authentication for Windows login and OWA


If you have further questions about FortiAuthenticator's features, feel free to ask me :). Other than that, I hope that some customers get back to you regarding how well it functions for them.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++