Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiNAC-F 7.2.0 Administration Guide
    7.2.0
    7.6.0
    7.4.0
    7.2.0

    Winbind

    Winbind

    Winbind is used to provide MSCHAPv2 authentication only. If using a different scheme, such as EAP-TTLS/PAP or EAP-TLS, configuration is not required.

    Note: FortiNAC is unable to encrypt Winbind connections with LDAPs or starttls.

    Multiple Winbind instances can be created.

    1. Navigate to Network > RADIUS > Winbind to configure winbind settings.
    2. Service information can be edited from the main Winbind view while Winbind Domain Configuration Details can be configured by creating or selecting an existing winbind and selecting Edit.
    3. Configure using the table below.
    Service Info

    Field

    Description
    Toggle Service Status

    Enable/Disable processing of MSCHAPv2 authentication requests
    Note: FortiNAC must be joined to the domain before starting the Winbind service.
    Status
    • Enabled Status: Displays
      • Enabled if the service is configured to run on boot.
      • Disabled if the service is not configured to run on boot
    • Running Status: Displays
      • Running if the service is running
      • Stopped if the service is not running
    Domain Status
  • Winbind Domain: Displays
    • Not Joined if FortiNAC is not joined to any Active Directory through winbind
    • Joined if FortiNAC is joined to the domain
  • Domain Information: Displays the detailed information of the joined status of FortiNAC.
    • This information may still show the previous join information if FortiNAC is no longer joined to the domain. In this case, the Winbind Domain will display “Not Joined” and the “Last Machine account password changed” date will show 1969 or 1970.
    • Details & Logs
    • Service Status: Displays full details of the service status.
      • Warnings such as ‘Unknown value ‘xxxxxx’ in section ‘yyyyyy’ can be ignored.

    • Service Log: Winbind log output

    • Systemd Log: Systemd journal output. Useful if winbind will not start for some reason.
    Winbind Domain Configuration Details

    Field

    Description

    Name

    		 Unique name used to identify the configuration. Only alphanumeric characters and underscore are allowed.

    Local NetBIOS Name

    NetBIOS name by which the FortiNAC Samba server is known. For High Availability configurations, this is the primary FortiNAC Samba server.

    Example: FortiNAC FQDN = hostname.corp.example.com, Local NetBIOS Name = "HOSTNAME"

    Note: the maximum length for a NetBIOS name is 15 characters.

    Secondary (HA) NetBIOS Name

    NetBIOS name by which the FNAC Samba server is known.

    Note that the maximum length for a NetBIOS name is 15 characters. For high availability configurations, this is the primary FNAC Samba server.

    Domain NetBIOS Name

    NetBIOS name of your domain. This is the subdomain of the DNS domain name.

    Note: Version F7.2.7 added support for ampersand (&) in Domain NetBIOS Names

    Examples:

    Domain Controller Hostname = dc01.example.com, Domain NetBIOS Name = "EXAMPLE"

    Domain Controller Hostname = dc01.corp.example.com, Domain NetBIOS Name = "CORP"

    Kerberos Realm Name

    The DNS-style domain name.
    Example: “example.com”

    Domain Controller Hostname

    Name of the domain controller(s) Samba uses to do all its username/password validation. Multiple servers may be specified, as well as * which will dynamically determine the best DC to contact.

    Examples:

    "dc01.example.com,dc02.example.com"

    "*"

    Log Level

    		The log level for the Winbind service. Recommended value is “none”.

    Join Domain

    In order for Winbind authentication to work, FortiNAC must be joined to the domain. Configure the credentials for the account FortiNAC will use to join.

    • Username: User name FortiNAC uses to join the domain. Examples: trusted_user or trusted_user@example.com

    • Password: Password FortiNAC uses to join the domain

    • Keytab file: Select and upload a keytab file. This allows AD joins without needing to type in the admin account password for use by both RADIUS MSCHAPv2 authentication and Portal authentication using Kerberos.
    Previous
    Next

    Winbind

    Winbind

    Winbind is used to provide MSCHAPv2 authentication only. If using a different scheme, such as EAP-TTLS/PAP or EAP-TLS, configuration is not required.

    Note: FortiNAC is unable to encrypt Winbind connections with LDAPs or starttls.

    Multiple Winbind instances can be created.

    1. Navigate to Network > RADIUS > Winbind to configure winbind settings.
    2. Service information can be edited from the main Winbind view while Winbind Domain Configuration Details can be configured by creating or selecting an existing winbind and selecting Edit.
    3. Configure using the table below.
    Service Info

    Field

    Description
    Toggle Service Status

    Enable/Disable processing of MSCHAPv2 authentication requests
    Note: FortiNAC must be joined to the domain before starting the Winbind service.
    Status
    • Enabled Status: Displays
      • Enabled if the service is configured to run on boot.
      • Disabled if the service is not configured to run on boot
    • Running Status: Displays
      • Running if the service is running
      • Stopped if the service is not running
    Domain Status
  • Winbind Domain: Displays
    • Not Joined if FortiNAC is not joined to any Active Directory through winbind
    • Joined if FortiNAC is joined to the domain
  • Domain Information: Displays the detailed information of the joined status of FortiNAC.
    • This information may still show the previous join information if FortiNAC is no longer joined to the domain. In this case, the Winbind Domain will display “Not Joined” and the “Last Machine account password changed” date will show 1969 or 1970.
    • Details & Logs
    • Service Status: Displays full details of the service status.
      • Warnings such as ‘Unknown value ‘xxxxxx’ in section ‘yyyyyy’ can be ignored.

    • Service Log: Winbind log output

    • Systemd Log: Systemd journal output. Useful if winbind will not start for some reason.
    Winbind Domain Configuration Details

    Field

    Description

    Name

    		 Unique name used to identify the configuration. Only alphanumeric characters and underscore are allowed.

    Local NetBIOS Name

    NetBIOS name by which the FortiNAC Samba server is known. For High Availability configurations, this is the primary FortiNAC Samba server.

    Example: FortiNAC FQDN = hostname.corp.example.com, Local NetBIOS Name = "HOSTNAME"

    Note: the maximum length for a NetBIOS name is 15 characters.

    Secondary (HA) NetBIOS Name

    NetBIOS name by which the FNAC Samba server is known.

    Note that the maximum length for a NetBIOS name is 15 characters. For high availability configurations, this is the primary FNAC Samba server.

    Domain NetBIOS Name

    NetBIOS name of your domain. This is the subdomain of the DNS domain name.

    Note: Version F7.2.7 added support for ampersand (&) in Domain NetBIOS Names

    Examples:

    Domain Controller Hostname = dc01.example.com, Domain NetBIOS Name = "EXAMPLE"

    Domain Controller Hostname = dc01.corp.example.com, Domain NetBIOS Name = "CORP"

    Kerberos Realm Name

    The DNS-style domain name.
    Example: “example.com”

    Domain Controller Hostname

    Name of the domain controller(s) Samba uses to do all its username/password validation. Multiple servers may be specified, as well as * which will dynamically determine the best DC to contact.

    Examples:

    "dc01.example.com,dc02.example.com"

    "*"

    Log Level

    		The log level for the Winbind service. Recommended value is “none”.

    Join Domain

    In order for Winbind authentication to work, FortiNAC must be joined to the domain. Configure the credentials for the account FortiNAC will use to join.

    • Username: User name FortiNAC uses to join the domain. Examples: trusted_user or trusted_user@example.com

    • Password: Password FortiNAC uses to join the domain

    • Keytab file: Select and upload a keytab file. This allows AD joins without needing to type in the admin account password for use by both RADIUS MSCHAPv2 authentication and Portal authentication using Kerberos.
    Previous
    Next