I can't really reply from the perspective of a customer (so I'm not going to say anything on quirks/advertisements/worth its money), but I have dealt extensively with FortiAuthenticator, and I can answer at least a few questions.
- if you purchase a VM licence (instead of a hardware model), that licence is perpetual, it does not expire
-> support coverage can expire, and the SMS subscription you can purchase
-> other licences (additional user count, FSSO Mobility Agent/FortiClient integration, mobile Token licences) do not expire
- an HA setup does require two licences or hardware models to function properly in my experience
-> if you have different licenced user count on the units, the cluster will only work with the smaller user count
-> FSSO Mobility Agent/FortiClient licence also needs to be purchased individually for each unit
-> FortiTokens do NOT need to be purchased for each unit, these are synced between the cluster nodes
Regarding the features you listed:
- it can act as a RADIUS server (for VPN/captive portal/Wifi/etc authentication)
-> it can essentially forward the RADIUS authentication request to LDAP to verify user credentials, no need to have users locally on FortiAuthenticator (unless tokens should be assigned, then users need to be created locally or imported from LDAP)
- it can act as TACACS+ server, but NOT as TACACS+ client (no admin login with credentials verified against an external TACACS+ server)
- there are two free agents it can integrate with, the Windows Agent and OWA Agent, to provide two-factor authentication for Windows login and OWA
If you have further questions about FortiAuthenticator's features, feel free to ask me :). Other than that, I hope that some customers get back to you regarding how well it functions for them.
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++