Remote LDAP password change

Windows AD users can conveniently change their passwords without provision changes being made to the network by a Windows AD system administrator. There are three ways FortiAuthenticator supports a password change: RADIUS Login, GUI User Login, and GUI User Portal.

RADIUS Login

For the method to work, all of the following conditions must be met:

l FortiAuthenticator has joined the Windows AD domain l RADIUS client has been configured to “Use Windows AD domain authentication” l RADIUS authentication request uses MS-CHAPv2 l RADIUS client must also support MS-CHAPv2 password change

A “change password” response will be produced that FortiAuthenticator will recognize, which will allow cooperation between the NAS and the Windows AD server that will result in a password change.

GUI User Login

For this method to work, one of the following conditions must be met:

• FortiAuthenticator has joined the Windows AD domain
• Secure LDAP is enabled and the LDAP admin (i.e. regular bind) has the permissions to reset user passwords

You must log in via the GUI portal. FortiAuthenticator will validate the user password against a Windows AD server. The Windows AD server will return with a “change password” response. If that happens, the user will be prompted to enter a new password.

GUI User Portal

For this method to work, one of the following conditions must be met:

l FortiAuthenticator has joined the Windows AD domain l Secure LDAP is enabled

RADIUS service

Once successfully logged into the GUI, the user has access to the user portal. If desired, the user can change their password in the user portal.

RADIUS

If you have existing RADIUS servers, you may choose to continue using them with FortiAuthenticator by configuring them as remote RADIUS servers.This feature can also be used to migrate away from third party twofactor authentication platforms.

To add a remote RADIUS server entry:

1. Go to Authentication > Remote Auth. Servers > RADIUS and select Create New. The Create New RADIUS Server window opens.
2. Enter the following information, then select OK to add the RADIUS server.

Name	Enter the name for the remote RADIUS server on FortiAuthenticator.
Primary Server	Enter the server name or IP address, port and secret in their requisite locations to configure the primary server.
Secondary Server	Optionally, add redundancy by configuring a secondary server.
User Migration	Select Enable learning mode to record and learn users that authenticate against this RADIUS server. This option should be enabled if you need to migrate users from the server to the FortiAuthenticator. Select View Learned Users to view the list of learned users. See Learned RADIUS users on page 131.

RADIUS service

Before the FortiAuthenticator unit can accept RADIUS authentication requests from a FortiGate unit, the FortiGate unit must be registered as a authentication client on the FortiAuthenticator unit.

The FortiAuthenticator RADIUS server is already configured and running with default values. Each user account on the FortiAuthenticator unit has an option to authenticate the user using the RADIUS database.

Every time there is a change to the list of RADIUS authentication clients, two log messages are generated: one for the client change, and one to state that the RADIUS server was restarted to apply the change.

FortiAuthenticator unit allows both RADIUS and remote authentication for RADIUS authentication client entries. If you want to use a remote server, you must configure it first so that you can be select it in the RADIUS authentication client configuration, see Remote authentication servers on page 88. You can configure the built-in LDAP server before or after creating client entries, see LDAP service on page 95.

 

RADIUS

Clients

RADIUS accounting client can be managed from Authentication > RADIUS Service > Clients.

Clients can be added, imported, deleted, edited, and cloned as needed.

To configure a RADIUS accounting client:

1. From the RADIUS client list, select Create New to add a new RADIUS client. The Add RADIUS client window opens.
2. Enter the following information:

Name	A name to identify the FortiGate unit.
Client name/IP	The FQDN or IP address of the unit.
Secret	The RADIUS passphrase that the FortiGate unit will use.
Description	Optionally, enter information about the FortiGate unit.
Authentication method	Select one of the following: l  Enforce two-factorauthentication l  Apply two-factorauthentication if available (authenticate any user) l  Password-only authentication (exclude users without a password) l  FortiToken-only authentication (exclude users without a FortiToken).
Username input format	Select one of the following three username input formats: l username@realm l realm\username l realm/username.
Realms	Add realms to which the client will be associated. See Realms on page 94. l Select a realm from the drop-down list in the Realm column. l  Select whether or not to allow local users to override remote users for the selected realm. l  Select whether or not to use Windows AD domain authentication. l  Edit the group filter as needed. That is, filter users based on the groups they are in. l  If necessary, add more realms to the list. l Select the realm that will be the default realm for this client.

RADIUS service

Allow MAC-based authentication	To allow 802.1X authentication for non- interactive devices, FortiAuthenticator can identify and bypass authentication for a device based on its MAC address. This is used for devices that do not allow the usual username or password input to perform 802.1X authentication, such as network printers. Enter these units in Authentication > User Management > MAC Devices. For more information, see MAC devices on page 72.
Require             Call- Check attribute for MAC-based auth	The FortiAuthenticator unit expects the username and password attributes to be set to the source MAC address. This option also requires a ServiceType attribute set to Call Check and a Calling-Station-Id attribute set to the source MAC address.
Check machine authentication	Select to check machine based authentication, and apply groups based on the success or failure of the authentication. See Machine authentication on page 53.
Override         group membership when	Select the conditions for when a group membership can be overridden from the Only machine-authenticated and Only user-authenticated drop-down lists.
EAP types	Select the 802.1X EAP authentication types to accept. If you require mutual authentication, select EAP- TLS. For more information, see EAP on page 101.

3. Select OK to add the new RADIUS client.

If authentication is failing, check that the authentication client is configured and that its IP address is correctly specified. Common causes of problems are: l RADIUS packets being sent from an unexpected interface, or IP address.

l NAT being performed between the authentication client and the FortiAuthenticator unit.

Client profile attributes

FortiAuthenticator supports a single authentication profile for each RADIUS Auth Client. Because of this, authentication requirements (for example IPSec/SSLVPN, Web Filtering Override, Wireless Authentication, and so on) require different profiles, as RADIUS authentication requests originate from the same IP address. To distinguish the authentication requirements, you can add attributes to them.

Attributes (which can be added to authentication requirements) indicate the type of service the user has requested, or the type of service to be provided.

Each FortiAuthenticator Auth Client Profile can contain up to two RADIUS Attributes.

To match a profile, all specified attributes in a profile must match, if not, the processing will fall to the next profile (processed in top down order).

RADIUS

The profiles created can be re-arranged in terms of priority. FortiAuthenticator attempts to match the RADIUS attributes from an authentication request to each profile, starting with the highest-priority profile, and moves down the list until it finds a match. FortiAuthenticator uses the first profile that it matches.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!