You could join Forti-Authenticator into a Domain. In-order to perform authentications like MSCHAP against LDAP Server , where you have passwords stored in encrypted way requires you to join Radius server onto that domain.
Scenarios where FAC acting as your radius server for a 802.1.x client and user password is stored on Windows Active directory, would require FAC to join the respected domain to perform the authentication for NAS devices(radius client).
Below configuration and monitor option helps you to confirm the Domain Join function with your FAC:
Once you get to add your LDAP server under FAC successfully, you should be able to now browser the LDAP users and attributes now. Make sure the LDAP-SERVICE-ACCOUNT used have enough permission to read users and needed attributes and also able to join the domain.
Once after adding the LDAP server into FAC, You may now to enable “windows Active Directory Domain Authentication” Will required the following information to join domain;
Kerberos realm name:
Domain NetBIOS name:
FAC NetBIOS name
Domain Administrator service account to join the respected domain
<Attached picture for reference>
Once after Successful configuring, you can check to monitor under Monitor tab > will show “joined domain” successfully.
On the other hand from the logging section, you will see if the join was successful or failed. If its failing then it will be mostly because of any domain join parameter you configured is incorrect.
Finally, now you could apply the settings on radius client settings/profile to perform “Windows Domain Authentication ” <screenshot for reference>