- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- How to correctly understand and use the "Username ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to correctly understand and use the "Username format" in the Identity source of Radius Policy I
Dear Team
I would like to understand how to determine the appropriate "Username format" (username@realm or realm\username or realm/username) to use for each NAS (Radius Client).
Is this adjustment of the "Username format" based on the Radius protocol or some other information? Please help me clarify what information or examples are needed to make the correct selection for the "Username format". Thank you.
Bruce Liu
Solved! Go to Solution.
Bruce Liu
Labels:
- Labels:
-
FortiAuthenticator v5.5
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To clarifiy a bit:
- you create realms under Authentication > User Management > Realms
- those realms can have whatever name you assign, and link to either local, or a remote RADIUS/LDAP server typically, so you could have two LDAP servers linked to two realms, ldap1 and ldap2, for example
- you can reference more than one realm in a RADIUS policy
- in that case, the username format becomes important, because it tells FortiAuthenticator how to parse a username.
As an example:
- the RADIUS policy references the realms ldap1 and ldap2 (ldap1 is default), and is set up with username format 'realm\user'; user test1 exists on ldap1 server, and user test2 exists on ldap2 server
-> user 'test1' logs in, those credentials will be checked against ldap1, because it is default realm and the login attempt did not provide any realm information
-> user 'test2' logs in, those credentials will ALSO be checked against ldap1 (default realm as we have no realm info to go off), and this will fail because test2 belongs to ldap2, not ldap1
-> user 'ldap2\test2' logs in, those credentials will be checked against ldap2, as realm information was provided and FortiAuthenticator parses the username as expected
-> user 'test2@ldap2' logs in, those credentials will be checked against ldap1! The realm '@ldap2' was not provided in the expected format, and is thus interpreted as part of the username, NOT as realm information!
-> user 'test1@ldap2' would also be checked against ldap1, same reasoning as above
-> user 'ldap1\test1' would also be checked against ldap1, but the realm specification is technically unnecessary as ldap1 is default realm and all attempts will match that if no realm information is provided
I hope that clears up the realm selection and username format settings?
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Realms are used to segregate users from different domain/section to authenticate to different remote authentication servers(LDAP/RADIUS). The username format is something you should specify on the FAC while creating the Radius policy. If the user don't follow the username format you have used in the policy while entering the credentials and just simply entered their username, they will get authenticated against the default realm.
Refer to this link for more information:
Please let me know if still have any concerns.
Regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your response.
I am confused about the examples provided in the reference materials. I would like to clarify the usage of the added WS-2019 (forti.lab) in the examples. If I choose "realm\username" as the Username format, can I successfully log in to the Fortigate by entering "forti.lab\administrator" as shown in the example?
In a more complex scenario, if multiple realms are added to the policies, with realms possibly coming from Windows AD (dome1.local) or a Linux LDAP Server (dome2.local), and the Username format is set to realm\username, can I authenticate using "dome1.local\administrator" or "dome2.local\administrator" for different domain servers?
Please clarify if my understanding is correct.
Bruce Liu
Bruce Liu
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Realm is something you defined in your FortiAuthenticator which could be same as your domain name or something else. The username format used here will help you pass on realm information from User to FAC in different ways so that it can apply different settings (backend authentication server) based on the value of your realm.
So your understanding is correct.
Reference:
https://docs.fortinet.com/document/fortiauthenticator/6.5.2/administration-guide/485114/realms
Regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To clarifiy a bit:
- you create realms under Authentication > User Management > Realms
- those realms can have whatever name you assign, and link to either local, or a remote RADIUS/LDAP server typically, so you could have two LDAP servers linked to two realms, ldap1 and ldap2, for example
- you can reference more than one realm in a RADIUS policy
- in that case, the username format becomes important, because it tells FortiAuthenticator how to parse a username.
As an example:
- the RADIUS policy references the realms ldap1 and ldap2 (ldap1 is default), and is set up with username format 'realm\user'; user test1 exists on ldap1 server, and user test2 exists on ldap2 server
-> user 'test1' logs in, those credentials will be checked against ldap1, because it is default realm and the login attempt did not provide any realm information
-> user 'test2' logs in, those credentials will ALSO be checked against ldap1 (default realm as we have no realm info to go off), and this will fail because test2 belongs to ldap2, not ldap1
-> user 'ldap2\test2' logs in, those credentials will be checked against ldap2, as realm information was provided and FortiAuthenticator parses the username as expected
-> user 'test2@ldap2' logs in, those credentials will be checked against ldap1! The realm '@ldap2' was not provided in the expected format, and is thus interpreted as part of the username, NOT as realm information!
-> user 'test1@ldap2' would also be checked against ldap1, same reasoning as above
-> user 'ldap1\test1' would also be checked against ldap1, but the realm specification is technically unnecessary as ldap1 is default realm and all attempts will match that if no realm information is provided
I hope that clears up the realm selection and username format settings?
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Related Posts
- understanding workflow / using JSON API... 62 Views
- Risk of enable TCP Session Without... 232 Views
- IPSec VPN with Azure/Entra mfa 137 Views
- FortiGate Rules 213 Views
- Help Im in Fortiswitch hell. ... 161 Views
Labels
-
FortiGate
6,764 -
FortiClient
1,345 -
5.2
801 -
5.4
639 -
FortiManager
580 -
FortiAnalyzer
425 -
6.0
416 -
5.6
362 -
FortiSwitch
347 -
FortiAP
346 -
FortiClient EMS
274 -
FortiMail
263 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
160 -
6.4
128 -
FortiNAC
110 -
FortiGuard
108 -
FortiSIEM
91 -
FortiGateCloud
88 -
IPsec
87 -
FortiCloud Products
85 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
69 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
33 -
SD-WAN
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
High Availability
24 -
FortiConnect
24 -
VLAN
23 -
FortiAuthenticator
22 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
SAML
15 -
FortiMonitor
14 -
BGP
14 -
DNS
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
FortiDDoS
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
Authentication
9 -
SSL SSH inspection
9 -
Traffic shaping
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
FortiSOAR
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiAnalyzer v5.0
7 -
Fortigate Cloud
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
Web application firewall profile
5 -
FortiTester
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.