Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
H_DY
New Contributor

[fortigate] Authentication attempt sequence when using a Multi remote authentication server?

 

Fortigate version 6.4.14

When setting up an administrator account through a remote authentication server.
Remote authentication server, LDAP, RADIUS, TACACS+, Local.

Is there a sequence for authentication attempts?
Or can I set the order of authentication attempts?

I wonder.
thank you

7 REPLIES 7
ozkanaltas
Contributor III

Hello @H_DY ,

 

In my opinion, the sequence is related to your group configuration. When you create a remote group you can select which is the first authentication method for your admin user. When the admin user tries to login, Fortigate will processes this request based on your group configuration.

 

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE4-5-6-7 OT Sec - ENT FW
H_DY


@ozkanaltas 
Thanks for answering my question.


FW1 # config user group
FW1 (group) # edit "ldap_tacacs_radius"
FW1 (ldap_tacacs_radius) # show
config user group
edit "ldap_tacacs_radius"
set member "ldap_test" "TACACS-SERVER" "radius_user"
next
end

FW1 # config system admin
FW1 (admin) # edit "remote-auth"
FW1 (remote-auth) # show
config system admin
edit "remote-auth"
set remote-auth enable
set accprofile "super_admin"
set vdom "root"
set wildcard enable
set remote-group "ldap_tacacs_radius"
next
end

 

In the above settings, is the priority ldap > tacacs > radius?

 

H_DY
New Contributor

q

ozkanaltas

Hello @H_DY,

 

In my opinion, yes Fortigate processes your request with this sequence.  You can test this easily. 

 

Try to login with ldap first and than change your ldap configuration with the wrong information for example change the user password in your ldap configuration. After that, try to login again. If Fortigate process your login request with a tacacs, this indicates that it works this way.

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE4-5-6-7 OT Sec - ENT FW
H_DY

Thank you for your reply.
I will test it as you suggested.
I will leave the test results.

H_DY

Hi
Performed Multi remote_server priority tests.

config.


Set ldap, tacacs server to member in user group.760dcbb2-5bcc-4d9f-8555-21f7ddbb5b0a.png

Create an administrator account.

administrator.png

 

Test 1
The 'hdy' password for LDAP and TACACS Server is setdifferently.
LDAP - ID: hdy, PW: ldap1!

TACACS - ID: hdy, PW: tacacs1!

As a result of the login attempt, it is possible to login in using the account PW of LDAP and TACACS.

It looks like an active-active request to all authentication servers without priorities.

 

Test2

Setting the 'hdy' password for LDAP and TACACS servers to the same.
LDAP - ID : hdy, PW: test1!
TACACS - ID : hdy, PW: test1!


As a result of the login attempt, the LDAP and TACACS servers have Logs authenticated at the same time.

 

[LDAP Server Log]

tacacs.png

[TACACS Server Log]

ldap.png

Thank

Sheikh
Staff
Staff

Hello @H_DY

 

Just to add that incase of multiple LDAP servers (I mean separate LDAP entries in FortiGate), there might be some authentication issues. In this case FortiGate will send authentication request to all the LDAP servers for the same credentials. Generally it would work and the user will be authenticated, but if the credentials are not correct, then FortiGate will send wrong credentials twice or even more (depends upon how many LDAP servers entries are in the LDAP configs).

 

To avoid this issue, better to add "secondary and tertiary server" in the one single LDAP entry.


config user ldap
    edit "dc01"
        set server "X.X.X.X"
        set secondary-server "X.X.X.X" <-----------2nd ldap server

        set tertiary-server "X.X.X.X" <--------------3rd ldap server
        set cnid "sAMAccountName"
        set dn "dc=testt,dc=local"
        set type regular
        set username "administrator\\ldapadmin"
        set password <password>
    next
end

 

regards,

 

Sheikh

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**
Labels
Top Kudoed Authors