Managing Forti-Authenticator With Remote LDAP Account for Easy Administration Purpose

In order to allow Forti-Authenticator managed by Remote Administrator account, all you need to do is choose one of your LDAP Managed user as Administrator.

First you need to add your LDAP profile and In order to do that you will need to have Active Directory Service Account created(recommended) on LDAP  for “FAC <-> LDAP” connection , which will be used for LDAP bind and search operations by FAC.

Note that the same LDAP service account can also be used for joining FAC to Active directory Domain and perform few other secure operations.

Below you will see LDAP profile was created successfully and user “Praveen” got imported into FAC manually.

 

Finally, you will then promote the Remote LDAP user account with a Administrator Role.

Important Note:

Once you promote a Remote user to Administrator, it will no more sync with the HA Load Balancer Slave.

In version v5.x and v6.0 you wont be able to sync a Remote Administrator account to a HA Load Balancing slave device.

However, from v6.1 onwards(new feature) you can do this by enabling Sync in HA Load Balancing mode which is given under the User Account management section.

Sample Reference below:

Disconnect User Network Access through Forti-Authenticator Usage profile

 

Goal:  Disconnect/Not to allow user network access after certain usage.

 

STEP 1:

Configure your Fortigate/NAS to send User Accounting information to Forti-Authenticator after successful user authentication. In this case Forti-Authenticator is  used as Authentication server as well.

#Sample Radius configuration on Fortigate :

config user radius

edit “10.47.1.148”

set server “10.47.1.148”

set secret ENC     zMbdF/mNYBr5a4Cc3cP

set nas-ip 192.168.242.80

set acct-interim-interval 600

set radius-coa enable

config accounting-server

edit 1

set status enable

set server “10.47.1.148”

set secret ENC   nGw/l5GCxHSymW3SnXGJKgmk

set port 1646

next

 

Note: Port 1646 is used for Accounting traffic on Fortigate and Forti-Authenticator.

Interim Acct and COA is enabled.

 

acct port

 

STEP 2:

Make sure to enable Accounting monitor on the FAC interface that will be talking to NAS/Fortigate.

2

 

STEP 3:

Enable to “Accept Accounting” on the radius client profile and support COA.

3.png

 

STEP 4 :

Usage profile for time or data is configured.

4

 

STEP 5 :

Usage profile can be applied to user/ user group /Device.

5

Remember to add the Radius Attribute  interim update set to 600 sec once.

 

STEP 6:

After successful authentication and Receiving Radius Accounting information you get to see the sample like below.

Navigation:  Monitor->Radius Accounting

accounting

STEP 7:

If FAC(Forti Authenticator) find the user crossed time/usage(data) limit , then it sends out a COA message to Fortigate and also disables the user at FAC.

10

 

STEP 8:

User session state at Fortigate 

==> User Session before Disconnect/bounce from network

Alza-kvm21 # diagnose firewall auth list | grep -A5 “test1”
10.120.0.125, test1, captive FAC user
src_mac: 00:0c:29:xx:xx:xx
type: fw, id: 0, duration: 547, idled: 64
expire: 236, allow-idle: 300
flag(30): radius idle
server: 10.47.8.250

 

==> User session after Disconnect/bounced from network.

Alza-kvm21 # diagnose firewall auth list | grep -A5 “test1”

Alza-kvm21 #