[fortigate] Authentication attempt sequence when using a Multi remote authentication server?

H_DY · ‎12-13-2023

Fortigate version 6.4.14

When setting up an administrator account through a remote authentication server.
Remote authentication server, LDAP, RADIUS, TACACS+, Local.

Is there a sequence for authentication attempts?
Or can I set the order of authentication attempts?

I wonder.
thank you

ozkanaltas · ‎12-14-2023

Hello @H_DY ,

In my opinion, the sequence is related to your group configuration. When you create a remote group you can select which is the first authentication method for your admin user. When the admin user tries to login, Fortigate will processes this request based on your group configuration.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

H_DY · ‎12-14-2023

@ozkanaltas
Thanks for answering my question.

FW1 # config user group
FW1 (group) # edit "ldap_tacacs_radius"
FW1 (ldap_tacacs_radius) # show
config user group
edit "ldap_tacacs_radius"
set member "ldap_test" "TACACS-SERVER" "radius_user"
next
end

FW1 # config system admin
FW1 (admin) # edit "remote-auth"
FW1 (remote-auth) # show
config system admin
edit "remote-auth"
set remote-auth enable
set accprofile "super_admin"
set vdom "root"
set wildcard enable
set remote-group "ldap_tacacs_radius"
next
end

In the above settings, is the priority ldap > tacacs > radius?

H_DY · ‎12-14-2023

q

ozkanaltas · ‎12-14-2023

Hello @H_DY,

In my opinion, yes Fortigate processes your request with this sequence. You can test this easily.

Try to login with ldap first and than change your ldap configuration with the wrong information for example change the user password in your ldap configuration. After that, try to login again. If Fortigate process your login request with a tacacs, this indicates that it works this way.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

H_DY · ‎12-14-2023

Thank you for your reply.
I will test it as you suggested.
I will leave the test results.

H_DY · ‎12-18-2023

Hi
Performed Multi remote_server priority tests.

config.

Set ldap, tacacs server to member in user group.

Create an administrator account.

Test 1
The 'hdy' password for LDAP and TACACS Server is setdifferently.
LDAP - ID: hdy, PW: ldap1!

TACACS - ID: hdy, PW: tacacs1!

As a result of the login attempt, it is possible to login in using the account PW of LDAP and TACACS.

It looks like an active-active request to all authentication servers without priorities.

Test2

Setting the 'hdy' password for LDAP and TACACS servers to the same.
LDAP - ID : hdy, PW: test1!
TACACS - ID : hdy, PW: test1!

As a result of the login attempt, the LDAP and TACACS servers have Logs authenticated at the same time.

[LDAP Server Log]

[TACACS Server Log]

Thank

Sheikh · ‎12-14-2023

Hello @H_DY,

Just to add that incase of multiple LDAP servers (I mean separate LDAP entries in FortiGate), there might be some authentication issues. In this case FortiGate will send authentication request to all the LDAP servers for the same credentials. Generally it would work and the user will be authenticated, but if the credentials are not correct, then FortiGate will send wrong credentials twice or even more (depends upon how many LDAP servers entries are in the LDAP configs).

To avoid this issue, better to add "secondary and tertiary server" in the one single LDAP entry.

config user ldap
    edit "dc01"
        set server "X.X.X.X"
        set secondary-server "X.X.X.X" <-----------2nd ldap server

  set tertiary-server "X.X.X.X" <--------------3rd ldap server
        set cnid "sAMAccountName"
        set dn "dc=testt,dc=local"
        set type regular
        set username "administrator\\ldapadmin"
        set password <password>
    next
end

regards,

Sheikh

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**