Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
telouat
New Contributor II

Created on ‎02-20-2024 05:55 AM Edited on ‎02-20-2024 05:56 AM

SAML WINDOWS INTEGRATED AUTHENTIFICATION

Hello

I am working on a subject to set up authentication for web access for a user group outside the fsso domain.
I configured SAML with Azure but I cannot set up integrated Windows authentication without going through an ADFS server.

I thought about setting up authentication with a radius but I am still facing the same problem with integrated Windows authentication

Labels:
718
0 Kudos
12 REPLIES 12
Jean-Philippe_P
Moderator
Moderator

Created on ‎02-20-2024 07:50 AM

Hello telouat,

 

Thanks for your post, can you precise us which version of FortiGate you have and more info on your setup, please?

 

This way it will be easier for us to help you.

 

Regards,

Jean-Philippe - Fortinet Community Team
536
telouat
New Contributor II
In response to Jean-Philippe_P

Created on ‎02-21-2024 01:09 AM

Hi JP,

Thank you for your reply

 

This my configuration in Fortigate :

config user radius
edit "NPS"
set server "192.168.x.x"
set secret ENC rgKDAV8XLAHeZI2vqbyOt1BswHCYgyfTBOu1pUjAbHTsvR9Ft
set all-usergroup enable
set auth-type ms_chap_v2
next
end


config user group
edit "GU_NPS_Group"
set member "radius"
next
end

 

config firewall policy
edit 8
set name "LAN-auth-policy"
set uuid c1acc36e-c509-51ee-d874
set srcintf "lan"
set dstintf "wan"
set action accept
set srcaddr "test_ssl"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
set groups "GU_NPS_Group"
next
end

 

I abandoned the idea of doing SAML because I cannot deploy ADFS for integrated windows authentication.

 

my need therefore as I cannot do SAML authentication with integrated Windows SSO without going through an ADFS server, I therefore switched to a configuration with Radius NPS windows but I cannot find how to do it without the user retyping their identifier.

 

thanks

515
dbu
Staff
Staff
In response to telouat

Created on ‎02-21-2024 06:49 AM

Hi @telouat , 

As per my understanding now you are trying to configure remote RADIUS server (NPS). 
have a look at this guide and verify your configuration : 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-FortiGate-and-Microsoft-NPS-Ra...

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
490
telouat
New Contributor II
In response to dbu

Created on ‎02-21-2024 07:29 AM

thank you for the answer, I followed this tutorial and the fortigate asks me for authentication despite everything.

 

forti.png

484
0 Kudos
dbu
Staff
Staff
In response to telouat

Created on ‎02-21-2024 07:44 AM Edited on ‎02-21-2024 07:45 AM

What happens when you test with CLI command ? Does it returns the attributes ?
I also see this value on your configuration : 
set all-usergroup enable

Can you disable this and test again . 



Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
482
telouat
New Contributor II
In response to dbu

Created on ‎02-21-2024 07:52 AM

set all-usergroup disable

no change same result.

authentification test to radius is good.

 

forti.png

480
0 Kudos
telouat
New Contributor II
In response to telouat

Created on ‎02-21-2024 07:54 AM

I check de NPS Log 

The NPS server has granted access to a user with success

479
0 Kudos
dbu
Staff
Staff
In response to telouat

Created on ‎02-21-2024 09:05 AM

What happens here when you try to authenticate here ? 

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
465
telouat
New Contributor II
In response to dbu

Created on ‎02-21-2024 10:20 AM

Authentification success and I can see user session in fortigate

457
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.