If you have questions about FortiAuthenticator, you are welcome to let me know, I deal a lot with that product :)

Not so much with FortiToken Cloud, but I can provide a little info on that as well.

If you want to use FAC for 2FA part, and user credentials are in AD, you would essentially use FAC as proxy to AD:

-> authenticate users to FAC via RADIUS

-> FAC forwards user credentials to AD for checking

-> if AD returns an 'OK', FAC asks for the token or sends push notification (FAC can also be set to ask for token even if credentials are invalid, to avoid giving away information)

-> once this is successful, FAC sends 'OK' to FGT
-> user is authenticated
There are options to authenticate via SAML instead of RADIUS, to chain authentication to another proxy, integrate FAC with FSSO (it can act as Collector Agent) and a number of other features

So you're saying it's not possible to keep current remote authentication method with like other 3rd party RADIUS (could be freeRADIUS) or TACACS+, which we use for a subset of SSL VPN users, which FortiToken Mobile use FAC, and all FGTs asks the same to FAC. Correct? We need this ONLY for SSL VPN 2nd Factor auth. We won't use for any SSOs.

Hey Toshi,

not quite - you can keep the current authenitcation method, you just have to put FortiAuthenticator between the current auth server and FortiGate.

For example, if you currently authenticate to a FreeRadius:
- configure FortiGate to point to FortiAuthenticator instead

- configure FortiAuthenticator to send the credentials to FreeRadius (set up remote auth server and reference it in a RADIUS policy)

-> add the remote users on FAC (similar to the 'user local/type ldap' setup on FortiGate) and link them with the appropriate token

All FortiGates can query the FAC, the user credentials will be checked against the remote server configured in FAC (RADIUS/LDAP/TACACS), and then in addition FAC itself will request the token.

Does that clarify how the setup would operate?

Now I understand the topology of this operation including FAC. I was thinking FGT can ask user's credential to the current remote auth server then as the second step ask token to FAC, like hub-and-spokes. Instead, the FGT can ask only to FAC for both factors in one packet(?) then in turn the FAC acts as NAS to get the user's credential part authenticated by the current remote auth server, and returns to the FGT with the result of both factors.
So from those current RADIUS/LDAP/TACACS server's view, nothing is different between getting those queries from FGT and getting from FAC other than NAS IP and type.

Ok, it's clear to me now. Thanks Debbie.

Toshi

Hey Toshi,

it's down to how RADIUS handles 2FA that necessitates such a setup:
- FortiGate sends an access request with user credentials to FAC

- FAC checks the credentials
-> if there is no token, it sends back an access accept
-> if there is a token, it sends back a challenge instead
-> FortiGate prompts the user for the challenge (token code)

-> FortiGate sends another access request with username + token code (in password field)

-> FAC checks the token code, then sends access accept

Basically any RADIUS solution with 2FA (if it's not using push notification) works like this (request, challenge, request, accept).

So this is not done in one packet, but two; it's just how RADIUS is designed :)

It's quite complicated. Is there any KBs describing this operational sequence with a diagram? Maybe in one of NSEx's study guides?