Importing authentication clients
Authentication client information can be imported as a CSV file by selecting Import in the from the RADIUS client list.
The CSV file has one record per line, with the record format: client name (32 characters max), FQDN or IP address (128 characters max), secret (optional, 63 characters max).
Realms
Realms allow multiple domains to authenticate to a single FortiAuthenticator unit. They support both LDAP and RADIUS remote servers. Each RADIUS realm is associated with a name, such as a domain or company name, that is used during the log in process to indicate the remote (or local) authentication server on which the user resides.
For example, the username of the user PJFry, belonging to the company P_Express would become any of the following, depending on the selected format:
l PJFry@P_Express l P_Express\PJFry l P_Express/PJFry
The FortiAuthenticator uses the specified realm to identify the back-end RADIUS or LDAP authentication server or servers that are used to authenticate the user.
Acceptable realms can be configured on a per RADIUS server client basis when configured RADIUS service clients. See Clients on page 92.
To manage the realms, go to Authentication > RADIUS Service > Realms.
Create New | Select to create a new realm. |
Delete | Select to delete the selected realm or realms. |
Edit | Select to edit the selected realm. |
Name | The names of the realms. |
User Source | The source of the users in the realms. |
To create a new realm:
- From the realms list, select Create New. The Create New Realm window opens.
- Enter a name for the realm in the Name
- Select the user source for the realm from the User source drop-down list. The options include local users, or users from specific RADIUS or LDAP servers.
- Select OK to create the new realm.
Extensible authentication protocol
The FortiAuthenticator unit supports several IEEE 802.1X EAP methods. EAP settings can be configured from Authentication > RADIUS Service > EAP. See EAP on page 101 for more information.
LDAP service
LDAP is an Internet protocol used to maintain authentication data that may include departments, people, groups of people, passwords, email addresses, and printers. LDAP consists of a data-representation scheme, a set of defined operations, and a request/response network.
In the LDAP protocol there are a number of operations a client can request such as search, compare, and add or delete an entry. Binding is the operation where the LDAP server authenticates the user. If the user is successfully authenticated, binding allows the user access to the LDAP server based on that user’s permissions.
General
To configure general LDAP service settings, go to Authentication > LDAP Service > General.
LDAP server certificate | Select the certificate that the LDAP server will present from the drop-down list. |
Certificate authority type | Select either Local CA or Trusted CA. |
CA certificate that issued the server certificate | Select the CA certificate that issued the server certificate from the dropdown list. |
Select OK to apply any changes that you have made.
Directory tree overview
The LDAP tree defines the hierarchical organization of user account entries in the LDAP database. The FortiGate unit requesting authentication must be configured to address its request to the right part of the hierarchy.
An LDAP server’s hierarchy often reflects the hierarchy of the organization it serves. The root represents the organization itself, usually defined as Domain Component (DC), a DNS domain, such as example.com (as the name contains a dot, it is written as two parts separated by a comma: dc=example,dc=com). Additional levels of hierarchy can be added as needed; these include:
LDAP
l Country (c) l User Group (cn) l User (uid) l Organization (o) l Organizational Unit (ou)
The user account entries relevant to user authentication will have element names such as user ID (UID) or common name (CN); the user’s name. They can each be placed at their appropriate place in the hierarchy.
Complex LDAP hierarchies are more common in large organizations where users in different locations and departments have different access rights. For basic authenticated access to your office network or the Internet, a much simpler LDAP hierarchy is adequate.
The following is a simple example of an LDAP hierarchy in which the all user account entries reside at the Organization Unit (OU) level, just below DC.
When requesting authentication, an LDAP client, such as a FortiGate unit, must specify the part of the hierarchy where the user account record can be found. This is called the Distinguished Name (DN). In the above example, DN is ou=People,dc=example,dc=com.
The authentication request must also specify the particular user account entry. Although this is often called the Common Name (CN), the identifier you use is not necessarily CN. On a computer network, it is appropriate to use UID, the person’s user ID, as that is the information that they will provide at logon.
Creating the directory tree
The following sections provide a brief explanation of each part of the LDAP attribute directory, what is commonly used for representation, and how to configure it on FortiAuthenticator.
Editing the root node
The root node is the top level of the LDAP directory. There can be only one. All groups, OUs, and users branch off from the root node. Choose a DN that makes sense for your organization’s root node.
There are three common forms of DN entries:
The most common consists of one or more DC elements making up the DN. Each part of the domain has its own DC entry. This comes directly from the DNS entry for the organization. For example, for example.com, the DN entry is “dc=example,dc=com”.
Another popular method is to use the company’s Internet presence as the DN. This method uses the domain name as the DN. For example, for example.com, the DN entry would be “o=example.com”.
An older method is to use the company name with a country entry. For example, for Example Inc. operating in the United States, the DN would be o=”Example, Inc.”,c=US. This makes less sense for international companies.
To rename the root node:
- Go to Authentication > LDAP Service > Directory Tree.
- Select dc=example,dc=com to edit the entry.
- In the Distinguished Name (DN) field, enter a new name.
Example: “dc=fortinet,dc=com”.
- Select OK to apply your changes.
If your domain name has multiple parts to it, such as shiny.widgets.example.com, each part of the domain should be entered as part of the DN, for example: dc=shiny,dc=widgets,dc=example,dc=com
Adding nodes to the LDAP directory tree
You can add a subordinate node at any level in the hierarchy as required.
To add a node to the tree:
- From the LDAP directory tree, select the green plus symbol next to the DN entry where the node will be added.
The Create New LDAP Entry window opens.
LDAP
- In the Class field, select the identifier to use.
For example, to add the ou=People node from the earlier example, select Organizational Unit (ou).
- Select the required value from the drop-down list, or select Create New to create a new entry of the selected class.
- Select OK to add the node.
Nodes can be edited after creation by selecting the edit, or pencil, icon next to the node name.
Adding user accounts to the LDAP tree
You must add user account entries at the appropriate place in the LDAP tree. These users must already be defined in the FortiAuthenticator user database. See Adding a user on page 59.
To add a user account to the tree:
- From the LDAP directory tree, expand nodes as needed to find the required node, then select the node’s green plus symbol.
In the earlier example, you would do this on the ou=People node.
- In the Class field, select User(uid).
The list of available users is displayed. You can choose to display them alphabetically by either user group or user.
- Select the required users in the Available Users box and move them to the Chosen Users
- Select OK to add the user account to the tree.
You can verify your users were added by expanding the node to see their UIDs listed below it.
I am trying to get uses to be able to do a password change when they VPN into the network after their password expire’s.
One issue i am running into is on the Authenticaticator under monitor the status of the Connection only says “Joined AD” and “not connected” do you know why ?
I am experiencing the same problem