- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FortiAuthenticator - Admin Profile for customer Or...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiAuthenticator - Admin Profile for customer Organization only.
Hi,
I've got a short question regarding the ForitAuthenticator.
We are setting this device up for ourself and for one of out customers.
The customer needs to have it's own Admin Profile to create users and should only see it's own organization.
The problem we are facing right now is that the customer admin can see all the users even outside it's own organization.
Is there something we're missing?
Kind regards,
Tim
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Tim,
nope, you are not missing anything I think.
The FortiAuthenticator (FAC hereinafter) admins can be profiled so each 'role' can do certain things, but generally on whole FAC.
There is nothing like VDOMs known from FortiGate or ADOMs from FortiManager.
Usual implementation is one FAC per enterprise where admins are for one subject.
However, if you want give customer ability to manage his users then I do see two possible options:
A) Remote User Sync Rules
this feature allows you to keep admin accounts for you only, no access from customer to FAC, but FAC will sync users from customer's LDAP automatically and according to set filter (just users matching LDAP filter, for example belonging to specific group/OU on LDAP/AD). This will create/remove user on FAC once created/removed in LDAP. Plus, users can be provided with 2FA token when synced, and tokens returned to pool when user get deleted (once he is not seen as matching sync filter).
This feature is used very often in situations where FAC is managed by one group/team of admins but AD/LDAP is managed by another team.
B) Guest portal
on the FAC you can create so called 'sponsor' which is admin able to manage just guest/user accounts on FAC, nothing else.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Tim,
nope, you are not missing anything I think.
The FortiAuthenticator (FAC hereinafter) admins can be profiled so each 'role' can do certain things, but generally on whole FAC.
There is nothing like VDOMs known from FortiGate or ADOMs from FortiManager.
Usual implementation is one FAC per enterprise where admins are for one subject.
However, if you want give customer ability to manage his users then I do see two possible options:
A) Remote User Sync Rules
this feature allows you to keep admin accounts for you only, no access from customer to FAC, but FAC will sync users from customer's LDAP automatically and according to set filter (just users matching LDAP filter, for example belonging to specific group/OU on LDAP/AD). This will create/remove user on FAC once created/removed in LDAP. Plus, users can be provided with 2FA token when synced, and tokens returned to pool when user get deleted (once he is not seen as matching sync filter).
This feature is used very often in situations where FAC is managed by one group/team of admins but AD/LDAP is managed by another team.
B) Guest portal
on the FAC you can create so called 'sponsor' which is admin able to manage just guest/user accounts on FAC, nothing else.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Tomas,
Thanks for your reply, this is some useful information.
Our Authenticator is our LDAP server so the Guest portal or Remote user sync rules wouldn't be a lot of use.
We just need to administer the FAC ourself.
Cheers!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
just note that FortiAuthenticator is not AD or feature-packed LDAP server. I'd rather use it as RADIUS server (it's stronger in this role) towards other NAS devices, then as LDAP.
There I do not see any big difference between using FortiAuthenticator as RADIUS or LDAP on, let's say, FortiGate to authenticate users to policies/VPN/WebFilters etc.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Related Posts
- FortiAuthenticator MAB 150 Views
- Fortiauthenticator with Google LDAP Client 853 Views
- an error has occurred. if the... 1255 Views
- failed test connectivity between fortigate and fortiauthenticator 1598 Views
- FortiAuthenticator not displaying custom fields 1250 Views
Labels
-
FortiGate
6,453 -
FortiClient
1,289 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
410 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
67 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.