Remote authentication servers

If you already have LDAP or RADIUS servers configured on your network, FortiAuthenticator can connect to them for remote authentication, much like FortiOS remote authentication.

LDAP

If you have existing LDAP servers, you may choose to continue using them with FortiAuthenticator by configuring them as remote LDAP servers.

When entering the remote LDAP server information, if any information is missing or in the wrong format, error messages will highlight the problem for you.
To add a remote LDAP server entry:
  1. Go to Authentication > Remote Auth. Servers > LDAP and select Create New. The Create New LDAP Server window opens.

  2. Enter the following information.
    3. Name Enter the name for the remote LDAP server on FortiAuthenticator.
    Primary server name/IP Enter the IP address or FQDN for this remote server.
    Port Enter the port number.
    Use secondary server Select to use a secondary server. The secondary server name/IP and port must be entered.
    Secondary server name/IP Enter the IP address or FQDN for the secondary remote server. This option is only available when Use secondary server is selected.
    Secondary port Enter the port number for the secondary server.This option is only available when Use secondary server is selected.
    Base distinguished name Enter the base distinguished name for the server using the correct X.500 or LDAP format. The maximum length of the DN is 512 characters.
    You can also select the browse button to view and select the DN on the LDAP server.
    Bind Type The Bind Type determines how the authentication information is sent to the server. Select the bind type required by the remote LDAP server.
    • Simple: bind using the user’s password which is sent to the server in plaintext without a search.
    • Regular: bind using the user’s DN and password and then search.
    If the user records fall under one directory, you can use Simple bind type. But Regular is required to allow a search for a user across multiple domains.
    User object class The type of object class to search for a user name search. The default is person.
    Username attribute The LDAP attribute that contains the user name. The default is sAMAccountName.
    Group membership attribute Used as the attribute to search for membership of users or groups in other groups.
  3. If you want to have a secure connection between the FortiAuthenticator unit and the remote LDAP server, under Secure Connection, select Enable, then enter the following:
    4. Protocol Select LDAPS or STARTLS as the LDAP server requires.
    CA Certificate Select the CA certificate that verifies the server certificate from the drop-down list.
  4. If you want to authenticate users using MSCHAP2 PEAP in an Active Directory environment, enable Windows Active Directory Domain Authentication, then enter the required Windows AD Domain Controller information.
    5. Kerberos realm name Enter the domain’s DNS name in uppercase letters.
    Domain NetBIOS name Enter the domain’s DNS prefix in uppercase letters.
    FortiAuthentication NetBIOS name Enter the NetBIOS name that will identify the FortiAuthenticator unit as a domain member.
    Administrator username Enter the name of the user account that will be used to associate the FortiAuthenticator unit with the domain. This user must have at least Domain User privileges.
    Administrator password Enter the administrator account’s password.

    When you are finished here, go to Authentication > RADIUS Service > Clients to choose whether authentication is available for all Windows AD users or only for Windows AD users who belong to particular user groups that you select. See RADIUS service for more information.

  5. Select OK to apply your changes.

    6. You can now add remote LDAP users, as described in Remote users.

RADIUS

If you have existing RADIUS servers, you may choose to continue using them with FortiAuthenticator by configuring them as remote RADIUS servers.This feature can also be used to migrate away from third party two-factor authentication platforms.

When entering the remote RADIUS server information, if any information is missing or in the wrong format, error messages will highlight the problem for you.
To add a remote RADIUS server entry:
  1. Go to Authentication > Remote Auth. Servers > RADIUS and select Create New. The Create New RADIUS Server window opens.
  2. Enter the following information, then select OK to add the RADIUS server.
    3. Name Enter the name for the remote RADIUS server on FortiAuthenticator.
    Primary Server Enter the server name or IP address, port and secret in their requisite locations to configure the primary server.
    Secondary Server Optionally, add redundancy by configuring a secondary server.
    User Migration Select Enable learning mode to record and learn users that authenticate against this RADIUS server. This option should be enabled if you need to migrate users from the server to the FortiAuthenticator.
    Select View Learned Users to view the list of learned users. See Learned RADIUS users.
Chapter: Authentication > Remote authentication servers

Open topic with navigation