Fortigate version 6.4.14
When setting up an administrator account through a remote authentication server.
Remote authentication server, LDAP, RADIUS, TACACS+, Local.
Is there a sequence for authentication attempts?
Or can I set the order of authentication attempts?
I wonder.
thank you
Hello @H_DY ,
In my opinion, the sequence is related to your group configuration. When you create a remote group you can select which is the first authentication method for your admin user. When the admin user tries to login, Fortigate will processes this request based on your group configuration.
Created on 12-14-2023 12:37 AM Edited on 12-14-2023 12:41 AM
@ozkanaltas
Thanks for answering my question.
FW1 # config user group
FW1 (group) # edit "ldap_tacacs_radius"
FW1 (ldap_tacacs_radius) # show
config user group
edit "ldap_tacacs_radius"
set member "ldap_test" "TACACS-SERVER" "radius_user"
next
end
FW1 # config system admin
FW1 (admin) # edit "remote-auth"
FW1 (remote-auth) # show
config system admin
edit "remote-auth"
set remote-auth enable
set accprofile "super_admin"
set vdom "root"
set wildcard enable
set remote-group "ldap_tacacs_radius"
next
end
In the above settings, is the priority ldap > tacacs > radius?
q
Hello @H_DY,
In my opinion, yes Fortigate processes your request with this sequence. You can test this easily.
Try to login with ldap first and than change your ldap configuration with the wrong information for example change the user password in your ldap configuration. After that, try to login again. If Fortigate process your login request with a tacacs, this indicates that it works this way.
Thank you for your reply.
I will test it as you suggested.
I will leave the test results.
Created on 12-18-2023 07:31 PM Edited on 12-18-2023 07:32 PM
Hi
Performed Multi remote_server priority tests.
config.
Set ldap, tacacs server to member in user group.
Create an administrator account.
Test 1
The 'hdy' password for LDAP and TACACS Server is setdifferently.
LDAP - ID: hdy, PW: ldap1!
TACACS - ID: hdy, PW: tacacs1!
As a result of the login attempt, it is possible to login in using the account PW of LDAP and TACACS.
It looks like an active-active request to all authentication servers without priorities.
Test2
Setting the 'hdy' password for LDAP and TACACS servers to the same.
LDAP - ID : hdy, PW: test1!
TACACS - ID : hdy, PW: test1!
As a result of the login attempt, the LDAP and TACACS servers have Logs authenticated at the same time.
[LDAP Server Log]
[TACACS Server Log]
Thank
Hello @H_DY,
Just to add that incase of multiple LDAP servers (I mean separate LDAP entries in FortiGate), there might be some authentication issues. In this case FortiGate will send authentication request to all the LDAP servers for the same credentials. Generally it would work and the user will be authenticated, but if the credentials are not correct, then FortiGate will send wrong credentials twice or even more (depends upon how many LDAP servers entries are in the LDAP configs).
To avoid this issue, better to add "secondary and tertiary server" in the one single LDAP entry.
config user ldap
edit "dc01"
set server "X.X.X.X"
set secondary-server "X.X.X.X" <-----------2nd ldap server
set tertiary-server "X.X.X.X" <--------------3rd ldap server
set cnid "sAMAccountName"
set dn "dc=testt,dc=local"
set type regular
set username "administrator\\ldapadmin"
set password <password>
next
end
regards,
Sheikh
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.