Fortinet Document Library

Version:

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

Local Winbind Configuration

Winbind is used to provide MSCHAPv2 authentication only. If using a different scheme, such as EAP-TTLS/PAP or EAP-TLS, configuration is not required.

  1. Navigate to Network > RADIUS > Winbind to configure winbind settings.
  2. Service information can be edited from the main Winbind view while Winbind Domain Configuration Details can be configured by creating or selecting an existing winbind and selecting Edit.
  3. Configure using the table below.
Service Info

Field

Description

Toggle Service Status

Enable/Disable processing of MSCHAPv2 authentication requests
Note: FortiNAC must be joined to the domain before starting the Winbind service.

Status
  • Enabled Status: Displays
    • Enabled if the service is configured to run on boot.
    • Disabled if the service is not configured to run on boot
  • Running Status: Displays
    • Running if the service is running
    • Stopped if the service is not running
Domain Status
  • Winbind Domain: Displays
    • Not Joined if FortiNAC is not joined to any Active Directory through winbind
    • Joined if FortiNAC is joined to the domain
  • Domain Information: Displays the detailed information of the joined status of FortiNAC.
    • This information may still show the previous join information if FortiNAC is no longer joined to the domain. In this case, the Winbind Domain will display “Not Joined” and the “Last Machine account password changed” date will show 1969 or 1970.
  • Details & Logs
    • Service Status: Displays full details of the service status.
      • Warnings such as ‘Unknown value ‘xxxxxx’ in section ‘yyyyyy’ can be ignored.
    • Service Log: Winbind log output

    • Systemd Log: Systemd journal output. Useful if winbind will not start for some reason.

    Winbind Domain Configuration Details

    Field

    Description

    Name

    Unique name used to identify the configuration. Only alphanumeric characters and underscore are allowed.

    Local NetBIOS Name

    Hostname (short name) of the FortiNAC server.
    Example: FortiNAC FQDN = hostname.corp.example.com, Local NetBIOS Name = "HOSTNAME"

    Secondary (HA) NetBIOS Name

    NetBIOS name by which the FNAC Samba server is known.

    Note that the maximum length for a NetBIOS name is 15 characters. For high availability configurations, this is the primary FNAC Samba server.

    Domain NetBIOS Name

    NetBIOS name of your domain. This is the subdomain of the DNS domain name.
    Examples:
    Domain Controller Hostname = dc01.example.com, Domain NetBIOS Name = "EXAMPLE"
    Domain Controller Hostname = dc01.corp.example.com, Domain NetBIOS Name = "CORP"

    Kerberos Realm Name

    The DNS-style domain name.
    Example: “example.com”

    Domain Controller Hostname

    The name or address of the Active Directory domain controller to use to authenticate.
    Example: “dc01.example.com”

    Log Level

    The log level for the Winbind service. Recommended value is “none”.

    Join Domain

    In order for Winbind authentication to work, FortiNAC must be joined to the domain. Configure the credentials for the account FortiNAC will use to join.

    • Username: User name FortiNAC uses to join the domain. Examples: trusted_user or trusted_user@example.com

    • Password: Password FortiNAC uses to join the domain

    Local Winbind Configuration

    Winbind is used to provide MSCHAPv2 authentication only. If using a different scheme, such as EAP-TTLS/PAP or EAP-TLS, configuration is not required.

    1. Navigate to Network > RADIUS > Winbind to configure winbind settings.
    2. Service information can be edited from the main Winbind view while Winbind Domain Configuration Details can be configured by creating or selecting an existing winbind and selecting Edit.
    3. Configure using the table below.
    Service Info

    Field

    Description

    Toggle Service Status

    Enable/Disable processing of MSCHAPv2 authentication requests
    Note: FortiNAC must be joined to the domain before starting the Winbind service.

    Status
    • Enabled Status: Displays
      • Enabled if the service is configured to run on boot.
      • Disabled if the service is not configured to run on boot
    • Running Status: Displays
      • Running if the service is running
      • Stopped if the service is not running
    Domain Status
  • Winbind Domain: Displays
    • Not Joined if FortiNAC is not joined to any Active Directory through winbind
    • Joined if FortiNAC is joined to the domain
  • Domain Information: Displays the detailed information of the joined status of FortiNAC.
    • This information may still show the previous join information if FortiNAC is no longer joined to the domain. In this case, the Winbind Domain will display “Not Joined” and the “Last Machine account password changed” date will show 1969 or 1970.
  • Details & Logs
    • Service Status: Displays full details of the service status.
      • Warnings such as ‘Unknown value ‘xxxxxx’ in section ‘yyyyyy’ can be ignored.
    • Service Log: Winbind log output

    • Systemd Log: Systemd journal output. Useful if winbind will not start for some reason.

    Winbind Domain Configuration Details

    Field

    Description

    Name

    Unique name used to identify the configuration. Only alphanumeric characters and underscore are allowed.

    Local NetBIOS Name

    Hostname (short name) of the FortiNAC server.
    Example: FortiNAC FQDN = hostname.corp.example.com, Local NetBIOS Name = "HOSTNAME"

    Secondary (HA) NetBIOS Name

    NetBIOS name by which the FNAC Samba server is known.

    Note that the maximum length for a NetBIOS name is 15 characters. For high availability configurations, this is the primary FNAC Samba server.

    Domain NetBIOS Name

    NetBIOS name of your domain. This is the subdomain of the DNS domain name.
    Examples:
    Domain Controller Hostname = dc01.example.com, Domain NetBIOS Name = "EXAMPLE"
    Domain Controller Hostname = dc01.corp.example.com, Domain NetBIOS Name = "CORP"

    Kerberos Realm Name

    The DNS-style domain name.
    Example: “example.com”

    Domain Controller Hostname

    The name or address of the Active Directory domain controller to use to authenticate.
    Example: “dc01.example.com”

    Log Level

    The log level for the Winbind service. Recommended value is “none”.

    Join Domain

    In order for Winbind authentication to work, FortiNAC must be joined to the domain. Configure the credentials for the account FortiNAC will use to join.

    • Username: User name FortiNAC uses to join the domain. Examples: trusted_user or trusted_user@example.com

    • Password: Password FortiNAC uses to join the domain