Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
abdulmoiz2006
New Contributor

new to fortiauthenticator, how does it work?

Hi Guys deploying new fortiauthenticator, i have few questions if you guys could help

 

- can I authenticate cisco switches with FAC, when I login via ssh or console that should check with FAC?

- how FAC works, I have many Fortigates so FAC will be linked with FGT and users will access via Forticlient or how?

i am little confused here, can we link FAC to cisco switch and do 802.1x port based or mac authentication? or need to link with FGT?

4 Solutions
Yurisk
Valued Contributor

Think of FAC as Radius server, it makes understanding much easier. As the consequence of it:

 

- Yes, Cisco switches/routers will work with FAC for Cli user authentication using the usual aaa authentication ... group radius

- FAC works by providing Radius services to the authenticating clients, while using Windows AD or own local databases as the source for users/passwords. Usually you link FAC to AD via LDAP protocol, then those users can authenticate against FAC using their AD credentials.

- How you use it depends on what you need. Using Forticlient (FC) most probably you mean Remote VPN connecting to Fortigates, then yes - FC connects to some Fortigate linked to FAC and authenticates user against FAC.

- FAC supports additionally SSO/SAML and probably other stuff (I don't use) I can't comment much on.

- From experience, most frequent case for FAC use is registering Fortitokens with it for MFA - this way a user can have just 1 FortiToken and connect to any device linked to FAC.

Yuri
https://yurisk.info/ blog: All things Fortinet, no ads.


All opinions are mine only.

View solution in original post

Yurisk

- Local PCs/users can authenticate either via FAC SSO web based Portal or transparently if they have FortiClient SSO Mobility Agent installed . You CAN get it working without AD by creating local users on FAC, I just haven't seen someone doing it in production, usually there is already AD infrastructure in place.

- Fortinet have their own FortiNAC, I guess it does all the 802.1x stuff, but I haven't worked with it yet.

- If the admin guide of FAC is too much for 1st time, there are quite good videos by Fortinet introducing the initial configs and principles of work: https://video.fortinet.com/products. There are example configurations, but they are not sorted by their complexity, and it gives some 1000+ results, but here it is: search in Google  fortiauthenticator site:kb.fortinet.com 

Yuri
https://yurisk.info/ blog: All things Fortinet, no ads.


All opinions are mine only.

View solution in original post

xsilver_FTNT

As Yurisk already said, there are some ways how to authenticate even computers.

Possibilities are quite wide. Beside mentioned ones you can for example has your users logged to FAC and allow them to enroll their own device certificates .. you can limit how many devices they can enroll .. and then they can do 802.1x EAP-TLS wired or wifi auth .. for example.

Beside mentioned fact that FAC is in most basic form huge RADIUS server .. it's true, but more precisely it is auth concentrator and centralized point.

As for mentioned SSO it can read user data from many sources (RADIUS Accounting, Syslog, various Windows AD methods, FortClient with SSOMA (mobility agent modul in FortiClient) .. , process those logon data and pass them via filters and those fitting to specific need push to connected FortiGate units.

But besides RADIUS and FSSO, it is also token handling platform (FortiTokens, Ubikeys directly, 3rd part like RSA via auth chaining to the RSA server, even combining those 3rd party with LDAP/AD to single auth), SAML, OAuth, RADIUS Proxy (not only for Accounting data, but also RADIUS Authentication as it can use another RADIUS server as backend,  not just LDAP). Speaking of LDAP and in general, but it's usually used with AD, FAC can sync users based on some LDAP Filters and sort them to groups on FAC, alternatively assign tokens (FortiTokens/SMS/Email) to those users automatically during sync. Also keep user list so once you remove user from LDAP and/or once user stop matching the LDAP filter, that user can be automatically removed form FAC, and if he was provided with token that one will be recovered back to pool of free/available tokens (useful especially with Mobile tokens where you do not need to collect hardware token, which obviously is not possible automagically by FAC itself).

 

So, possibilities are pretty wide. It more depends on what do you truly need, and there even for specific task is usually more than one way how to achieve that.

 

Therefore you should be a bit more specific.

 

Tom xSilver, planet Earth, over and out!

View solution in original post

xsilver_FTNT

@Yurisk Yes, to sync users from LDAP/AD and automatically equip those with FortiTokens , then allow those to authenticate via RADIUS to something like FortiGate, or WiFi AP, or even something like Cisco AnyConnect (generally 3rd party) with those tokens (2FA) was one of the core elements years ago.

In the meantime it evolved and is still under active development as new exciting stuff like SAML/OAuth comes into play.

It's also very, very, versatile and capable Collector Agent for various SSO scenarios.

Or simple Certificate Authority .. with SCEP/CRL/OCSP built-in and much easier to set up then on MSFT AD.

And more (TACACS+, local LDAP, Guest Management, self reg/enroll portals) .. 

Tom xSilver, planet Earth, over and out!

View solution in original post

7 REPLIES 7
Yurisk
Valued Contributor

Think of FAC as Radius server, it makes understanding much easier. As the consequence of it:

 

- Yes, Cisco switches/routers will work with FAC for Cli user authentication using the usual aaa authentication ... group radius

- FAC works by providing Radius services to the authenticating clients, while using Windows AD or own local databases as the source for users/passwords. Usually you link FAC to AD via LDAP protocol, then those users can authenticate against FAC using their AD credentials.

- How you use it depends on what you need. Using Forticlient (FC) most probably you mean Remote VPN connecting to Fortigates, then yes - FC connects to some Fortigate linked to FAC and authenticates user against FAC.

- FAC supports additionally SSO/SAML and probably other stuff (I don't use) I can't comment much on.

- From experience, most frequent case for FAC use is registering Fortitokens with it for MFA - this way a user can have just 1 FortiToken and connect to any device linked to FAC.

Yuri
https://yurisk.info/ blog: All things Fortinet, no ads.


All opinions are mine only.
abdulmoiz2006

Yurisk wrote:

Think of FAC as Radius server, it makes understanding much easier. As the consequence of it:

 

- Yes, Cisco switches/routers will work with FAC for Cli user authentication using the usual aaa authentication ... group radius

- FAC works by providing Radius services to the authenticating clients, while using Windows AD or own local databases as the source for users/passwords. Usually you link FAC to AD via LDAP protocol, then those users can authenticate against FAC using their AD credentials.

- How you use it depends on what you need. Using Forticlient (FC) most probably you mean Remote VPN connecting to Fortigates, then yes - FC connects to some Fortigate linked to FAC and authenticates user against FAC.

- FAC supports additionally SSO/SAML and probably other stuff (I don't use) I can't comment much on.

- From experience, most frequent case for FAC use is registering Fortitokens with it for MFA - this way a user can have just 1 FortiToken and connect to any device linked to FAC.

thanks yurisk you are awesome, - how about the computer users how they will authenticate with FAC ?

- how computers can be authenticated? is there anything beside mab and dot1x?  is there any place or link I could get sample config that I can see and configure my FAC and cisco switches? 

Yurisk

- Local PCs/users can authenticate either via FAC SSO web based Portal or transparently if they have FortiClient SSO Mobility Agent installed . You CAN get it working without AD by creating local users on FAC, I just haven't seen someone doing it in production, usually there is already AD infrastructure in place.

- Fortinet have their own FortiNAC, I guess it does all the 802.1x stuff, but I haven't worked with it yet.

- If the admin guide of FAC is too much for 1st time, there are quite good videos by Fortinet introducing the initial configs and principles of work: https://video.fortinet.com/products. There are example configurations, but they are not sorted by their complexity, and it gives some 1000+ results, but here it is: search in Google  fortiauthenticator site:kb.fortinet.com 

Yuri
https://yurisk.info/ blog: All things Fortinet, no ads.


All opinions are mine only.
abdulmoiz2006

Yurisk wrote:

- Local PCs/users can authenticate either via FAC SSO web based Portal or transparently if they have FortiClient SSO Mobility Agent installed . You CAN get it working without AD by creating local users on FAC, I just haven't seen someone doing it in production, usually there is already AD infrastructure in place.

- Fortinet have their own FortiNAC, I guess it does all the 802.1x stuff, but I haven't worked with it yet.

- If the admin guide of FAC is too much for 1st time, there are quite good videos by Fortinet introducing the initial configs and principles of work: https://video.fortinet.com/products. There are example configurations, but they are not sorted by their complexity, and it gives some 1000+ results, but here it is: search in Google  fortiauthenticator site:kb.fortinet.com 

- i am doing a new deployment with around 100 branch offices so definitely there will be AD later on, i will do testing with FAC at the moment with local users.

 

so fortiNAC is for dot1x port based, but i see in FAC there is radius and tacacs+ service where we can configure clients and policies so I think we can do access levels e.g. to determine the privilege-level when you log in to a router, or to push a dynamic access-list for a vpn user (i thought we can also do dot1x port-based authentication as well with FAC)

 

- for the FortiClient or web-based portal authentication, do I have to configure the switch(as a supplicant) or link FAC with FGT( as a client or supplicant) and when connecting via Forticlient it will use FGT to check user credentials on FAC? 

 

 

 

xsilver_FTNT

As Yurisk already said, there are some ways how to authenticate even computers.

Possibilities are quite wide. Beside mentioned ones you can for example has your users logged to FAC and allow them to enroll their own device certificates .. you can limit how many devices they can enroll .. and then they can do 802.1x EAP-TLS wired or wifi auth .. for example.

Beside mentioned fact that FAC is in most basic form huge RADIUS server .. it's true, but more precisely it is auth concentrator and centralized point.

As for mentioned SSO it can read user data from many sources (RADIUS Accounting, Syslog, various Windows AD methods, FortClient with SSOMA (mobility agent modul in FortiClient) .. , process those logon data and pass them via filters and those fitting to specific need push to connected FortiGate units.

But besides RADIUS and FSSO, it is also token handling platform (FortiTokens, Ubikeys directly, 3rd part like RSA via auth chaining to the RSA server, even combining those 3rd party with LDAP/AD to single auth), SAML, OAuth, RADIUS Proxy (not only for Accounting data, but also RADIUS Authentication as it can use another RADIUS server as backend,  not just LDAP). Speaking of LDAP and in general, but it's usually used with AD, FAC can sync users based on some LDAP Filters and sort them to groups on FAC, alternatively assign tokens (FortiTokens/SMS/Email) to those users automatically during sync. Also keep user list so once you remove user from LDAP and/or once user stop matching the LDAP filter, that user can be automatically removed form FAC, and if he was provided with token that one will be recovered back to pool of free/available tokens (useful especially with Mobile tokens where you do not need to collect hardware token, which obviously is not possible automagically by FAC itself).

 

So, possibilities are pretty wide. It more depends on what do you truly need, and there even for specific task is usually more than one way how to achieve that.

 

Therefore you should be a bit more specific.

 

Tom xSilver, planet Earth, over and out!

Yurisk
Valued Contributor

@xsilver_FTNT - wow, I've been managing FACs for clients, but always for FC + FTK combo, and didn't even know all of its capabilities you mentioned :)

 

Yuri
https://yurisk.info/ blog: All things Fortinet, no ads.


All opinions are mine only.
xsilver_FTNT

@Yurisk Yes, to sync users from LDAP/AD and automatically equip those with FortiTokens , then allow those to authenticate via RADIUS to something like FortiGate, or WiFi AP, or even something like Cisco AnyConnect (generally 3rd party) with those tokens (2FA) was one of the core elements years ago.

In the meantime it evolved and is still under active development as new exciting stuff like SAML/OAuth comes into play.

It's also very, very, versatile and capable Collector Agent for various SSO scenarios.

Or simple Certificate Authority .. with SCEP/CRL/OCSP built-in and much easier to set up then on MSFT AD.

And more (TACACS+, local LDAP, Guest Management, self reg/enroll portals) .. 

Tom xSilver, planet Earth, over and out!