Remote LDAP password change
Windows AD users can conveniently change their passwords without provision changes being made to the network by a Windows AD system administrator. There are three ways FortiAuthenticator supports a password change: RADIUS Login, GUI User Login, and GUI User Portal.
RADIUS Login
For the method to work, all of the following conditions must be met:
l FortiAuthenticator has joined the Windows AD domain l RADIUS client has been configured to “Use Windows AD domain authentication” l RADIUS authentication request uses MS-CHAPv2 l RADIUS client must also support MS-CHAPv2 password change
A “change password” response will be produced that FortiAuthenticator will recognize, which will allow cooperation between the NAS and the Windows AD server that will result in a password change.
GUI User Login
For this method to work, one of the following conditions must be met:
- FortiAuthenticator has joined the Windows AD domain
- Secure LDAP is enabled and the LDAP admin (i.e. regular bind) has the permissions to reset user passwords
You must log in via the GUI portal. FortiAuthenticator will validate the user password against a Windows AD server. The Windows AD server will return with a “change password” response. If that happens, the user will be prompted to enter a new password.
GUI User Portal
For this method to work, one of the following conditions must be met:
l FortiAuthenticator has joined the Windows AD domain l Secure LDAP is enabled
RADIUS service
Once successfully logged into the GUI, the user has access to the user portal. If desired, the user can change their password in the user portal.
RADIUS
If you have existing RADIUS servers, you may choose to continue using them with FortiAuthenticator by configuring them as remote RADIUS servers.This feature can also be used to migrate away from third party twofactor authentication platforms.
To add a remote RADIUS server entry:
- Go to Authentication > Remote Auth. Servers > RADIUS and select Create New. The Create New RADIUS Server window opens.
- Enter the following information, then select OK to add the RADIUS server.
Name | Enter the name for the remote RADIUS server on FortiAuthenticator. |
Primary Server | Enter the server name or IP address, port and secret in their requisite locations to configure the primary server. |
Secondary Server | Optionally, add redundancy by configuring a secondary server. |
User Migration | Select Enable learning mode to record and learn users that authenticate against this RADIUS server. This option should be enabled if you need to migrate users from the server to the FortiAuthenticator. Select View Learned Users to view the list of learned users. See Learned RADIUS users on page 131. |
RADIUS service
Before the FortiAuthenticator unit can accept RADIUS authentication requests from a FortiGate unit, the FortiGate unit must be registered as a authentication client on the FortiAuthenticator unit.
The FortiAuthenticator RADIUS server is already configured and running with default values. Each user account on the FortiAuthenticator unit has an option to authenticate the user using the RADIUS database.
Every time there is a change to the list of RADIUS authentication clients, two log messages are generated: one for the client change, and one to state that the RADIUS server was restarted to apply the change.
FortiAuthenticator unit allows both RADIUS and remote authentication for RADIUS authentication client entries. If you want to use a remote server, you must configure it first so that you can be select it in the RADIUS authentication client configuration, see Remote authentication servers on page 88. You can configure the built-in LDAP server before or after creating client entries, see LDAP service on page 95.
RADIUS
Clients
RADIUS accounting client can be managed from Authentication > RADIUS Service > Clients.
Clients can be added, imported, deleted, edited, and cloned as needed.
To configure a RADIUS accounting client:
- From the RADIUS client list, select Create New to add a new RADIUS client. The Add RADIUS client window opens.
- Enter the following information:
Name | A name to identify the FortiGate unit. |
Client name/IP | The FQDN or IP address of the unit. |
Secret | The RADIUS passphrase that the FortiGate unit will use. |
Description | Optionally, enter information about the FortiGate unit. |
Authentication method | Select one of the following:
l Enforce two-factorauthentication l Apply two-factorauthentication if available (authenticate any user) l Password-only authentication (exclude users without a password) l FortiToken-only authentication (exclude users without a FortiToken). |
Username input format | Select one of the following three username input formats:
l username@realm l realm\username l realm/username. |
Realms | Add realms to which the client will be associated. See Realms on page 94. l Select a realm from the drop-down list in the Realm column.
l Select whether or not to allow local users to override remote users for the selected realm. l Select whether or not to use Windows AD domain authentication. l Edit the group filter as needed. That is, filter users based on the groups they are in. l If necessary, add more realms to the list. l Select the realm that will be the default realm for this client. |
RADIUS service
Allow MAC-based authentication | To allow 802.1X authentication for non- interactive devices, FortiAuthenticator can identify and bypass authentication for a device based on its MAC address.
This is used for devices that do not allow the usual username or password input to perform 802.1X authentication, such as network printers. Enter these units in Authentication > User Management > MAC Devices. For more information, see MAC devices on page 72. |
Require Call-
Check attribute for MAC-based auth |
The FortiAuthenticator unit expects the username and password attributes to be set to the source MAC address. This option also requires a ServiceType attribute set to Call Check and a Calling-Station-Id attribute set to the source MAC address. |
Check machine authentication | Select to check machine based authentication, and apply groups based on the success or failure of the authentication. See Machine authentication on page 53. |
Override group membership when | Select the conditions for when a group membership can be overridden from the Only machine-authenticated and Only user-authenticated drop-down lists. |
EAP types | Select the 802.1X EAP authentication types to accept. If you require mutual authentication, select EAP- TLS.
For more information, see EAP on page 101. |
- Select OK to add the new RADIUS client.
If authentication is failing, check that the authentication client is configured and that its IP address is correctly specified. Common causes of problems are: l RADIUS packets being sent from an unexpected interface, or IP address.
l NAT being performed between the authentication client and the FortiAuthenticator unit.
Client profile attributes
FortiAuthenticator supports a single authentication profile for each RADIUS Auth Client. Because of this, authentication requirements (for example IPSec/SSLVPN, Web Filtering Override, Wireless Authentication, and so on) require different profiles, as RADIUS authentication requests originate from the same IP address. To distinguish the authentication requirements, you can add attributes to them.
Attributes (which can be added to authentication requirements) indicate the type of service the user has requested, or the type of service to be provided.
Each FortiAuthenticator Auth Client Profile can contain up to two RADIUS Attributes.
To match a profile, all specified attributes in a profile must match, if not, the processing will fall to the next profile (processed in top down order).
RADIUS
The profiles created can be re-arranged in terms of priority. FortiAuthenticator attempts to match the RADIUS attributes from an authentication request to each profile, starting with the highest-priority profile, and moves down the list until it finds a match. FortiAuthenticator uses the first profile that it matches.
I am trying to get uses to be able to do a password change when they VPN into the network after their password expire’s.
One issue i am running into is on the Authenticaticator under monitor the status of the Connection only says “Joined AD” and “not connected” do you know why ?
I am experiencing the same problem