Helpful ReplyHot!new to fortiauthenticator, how does it work?

Author
abdulmoiz2006
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/03/16 11:39:12
  • Status: offline
2021/06/08 08:04:01 (permalink)
0

new to fortiauthenticator, how does it work?

Hi Guys deploying new fortiauthenticator, i have few questions if you guys could help
 
- can I authenticate cisco switches with FAC, when I login via ssh or console that should check with FAC?
- how FAC works, I have many Fortigates so FAC will be linked with FGT and users will access via Forticlient or how?
i am little confused here, can we link FAC to cisco switch and do 802.1x port based or mac authentication? or need to link with FGT?
#1
Yurisk
Platinum Member
  • Total Posts : 241
  • Scores: 37
  • Reward points: 0
  • Joined: 2011/12/04 03:30:01
  • Location: Israel
  • Status: offline
Re: new to fortiauthenticator, how does it work? 2021/06/08 21:14:18 (permalink) ☄ Helpfulby abdulmoiz2006 2021/06/09 08:59:10
0
Think of FAC as Radius server, it makes understanding much easier. As the consequence of it:
 
- Yes, Cisco switches/routers will work with FAC for Cli user authentication using the usual aaa authentication ... group radius
- FAC works by providing Radius services to the authenticating clients, while using Windows AD or own local databases as the source for users/passwords. Usually you link FAC to AD via LDAP protocol, then those users can authenticate against FAC using their AD credentials.
- How you use it depends on what you need. Using Forticlient (FC) most probably you mean Remote VPN connecting to Fortigates, then yes - FC connects to some Fortigate linked to FAC and authenticates user against FAC.
- FAC supports additionally SSO/SAML and probably other stuff (I don't use) I can't comment much on.
- From experience, most frequent case for FAC use is registering Fortitokens with it for MFA - this way a user can have just 1 FortiToken and connect to any device linked to FAC.

Yuri
https://yurisk.info/ blog: All things Fortinet, no ads.
#2
abdulmoiz2006
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/03/16 11:39:12
  • Status: offline
Re: new to fortiauthenticator, how does it work? 2021/06/09 04:04:57 (permalink)
0
Yurisk
Think of FAC as Radius server, it makes understanding much easier. As the consequence of it:
 
- Yes, Cisco switches/routers will work with FAC for Cli user authentication using the usual aaa authentication ... group radius
- FAC works by providing Radius services to the authenticating clients, while using Windows AD or own local databases as the source for users/passwords. Usually you link FAC to AD via LDAP protocol, then those users can authenticate against FAC using their AD credentials.
- How you use it depends on what you need. Using Forticlient (FC) most probably you mean Remote VPN connecting to Fortigates, then yes - FC connects to some Fortigate linked to FAC and authenticates user against FAC.
- FAC supports additionally SSO/SAML and probably other stuff (I don't use) I can't comment much on.
- From experience, most frequent case for FAC use is registering Fortitokens with it for MFA - this way a user can have just 1 FortiToken and connect to any device linked to FAC.


thanks yurisk you are awesome,
- how about the computer users how they will authenticate with FAC ?
- how computers can be authenticated? is there anything beside mab and dot1x? 
is there any place or link I could get sample config that I can see and configure my FAC and cisco switches? 
#3
Yurisk
Platinum Member
  • Total Posts : 241
  • Scores: 37
  • Reward points: 0
  • Joined: 2011/12/04 03:30:01
  • Location: Israel
  • Status: offline
Re: new to fortiauthenticator, how does it work? 2021/06/09 06:06:22 (permalink) ☄ Helpfulby abdulmoiz2006 2021/06/09 08:59:03
0
- Local PCs/users can authenticate either via FAC SSO web based Portal or transparently if they have FortiClient SSO Mobility Agent installed . You CAN get it working without AD by creating local users on FAC, I just haven't seen someone doing it in production, usually there is already AD infrastructure in place.
- Fortinet have their own FortiNAC, I guess it does all the 802.1x stuff, but I haven't worked with it yet.
- If the admin guide of FAC is too much for 1st time, there are quite good videos by Fortinet introducing the initial configs and principles of work: https://video.fortinet.com/products. There are example configurations, but they are not sorted by their complexity, and it gives some 1000+ results, but here it is: search in Google  fortiauthenticator site:kb.fortinet.com 

Yuri
https://yurisk.info/ blog: All things Fortinet, no ads.
#4
abdulmoiz2006
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/03/16 11:39:12
  • Status: offline
Re: new to fortiauthenticator, how does it work? 2021/06/09 06:18:19 (permalink)
0
Yurisk
- Local PCs/users can authenticate either via FAC SSO web based Portal or transparently if they have FortiClient SSO Mobility Agent installed . You CAN get it working without AD by creating local users on FAC, I just haven't seen someone doing it in production, usually there is already AD infrastructure in place.
- Fortinet have their own FortiNAC, I guess it does all the 802.1x stuff, but I haven't worked with it yet.
- If the admin guide of FAC is too much for 1st time, there are quite good videos by Fortinet introducing the initial configs and principles of work: https://video.fortinet.com/products. There are example configurations, but they are not sorted by their complexity, and it gives some 1000+ results, but here it is: search in Google  fortiauthenticator site:kb.fortinet.com 


- i am doing a new deployment with around 100 branch offices so definitely there will be AD later on, i will do testing with FAC at the moment with local users.
 
so fortiNAC is for dot1x port based, but i see in FAC there is radius and tacacs+ service where we can configure clients and policies so I think we can do access levels e.g. to determine the privilege-level when you log in to a router, or to push a dynamic access-list for a vpn user (i thought we can also do dot1x port-based authentication as well with FAC)
 
- for the FortiClient or web-based portal authentication, do I have to configure the switch(as a supplicant) or link FAC with FGT( as a client or supplicant) and when connecting via Forticlient it will use FGT to check user credentials on FAC? 
 
 
 



post edited by abdulmoiz2006 - 2021/06/09 06:39:08
#5
Jump to:
© 2021 APG vNext Commercial Version 5.5