Hot!Multiple authenication methods

Author
IShall
Bronze Member
  • Total Posts : 31
  • Scores: 0
  • Reward points: 0
  • Joined: 2008/10/02 16:33:41
  • Status: offline
2019/04/22 16:27:01 (permalink)
0

Multiple authenication methods

Hello,
We recently purchased some Fortigates (based on pre-sales advice), having a requirement that user authentication on an SSL portal could be configured to use LDAP AND RADIUS (not OR). i.e. on logon to the portal, the user needs to enter both LDAP and RADIUS credentials.
I have got both LDAP and RADIUS to work individually, however cannot see how to force both.
Fortinet support has told me I now need to purchase a FortiAuthenticator if I want to do this.
Has anyone managed to do this or do I really need the additional kit ?
 
Kind regards,
#1

2 Replies Related Threads

    xsilver_FTNT
    Expert Member
    • Total Posts : 429
    • Scores: 91
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Status: offline
    Re: Multiple authenication methods 2019/04/23 00:42:03 (permalink)
    5 (1)
    I just guess that you are talking about something usually called 'chained authentication'.
    So situation where user's name and password is verified against LDAP and then 2FA token verified against RADIUS.
     
    AFAIK you can have LDAP based users with 2FA token on FortiGate, but user account is created on FortiGate, just pointing to LDAP, and token is also FortiToken, configured on FortiGate.
    Keep in mind that FortiGate's primary role is firewall. Not NPS (Network Policy Server)!
     
    If you need chained authentication towards 3rd party LDAP and another 3rd party RADIUS (two different servers), like users in LDAP and tokens in RSA, then this is supported on FortiAuthenticator, only.
     
    Do you really have two separate servers for authentication ?
    Could you consolidate them somehow or change auth schema?
    (Like use FortiTokens on FortiGate directly for LDAP users, without RADIUS, or if mentioned RADIUS is MSFT NPS then this could be used over RADIUS but de-facto authenticating users against AD back-end.)
     
    There is always multiple ways how to set it up, all depends on what you have, need, and is able to change.

    Kind Regards,
    Tomas
    #2
    IShall
    Bronze Member
    • Total Posts : 31
    • Scores: 0
    • Reward points: 0
    • Joined: 2008/10/02 16:33:41
    • Status: offline
    Re: Multiple authenication methods 2019/04/25 19:05:20 (permalink)
    0
    Many thanks Tomas,
     
    Yes the chained authentication is just what I need (as it was in the original design).
    Unfortunately the authentication servers cannot be separated as the LDAP servers are local to the country, and will determine which portal the user will see, while the RADIUS servers are located elsewhere i.e. in other countries.
    You did however give me some food for thought about alternate approaches so I will do some more thinking.
     
    Thanks again for the input.
     
    Kind regards,
    Steve.
    #3
    Jump to:
    © 2019 APG vNext Commercial Version 5.5