Fortinet black logo

Version:

9.4.0
9.2.0
9.1.0

Version:

8.8.0
8.7.0
8.6.0

Version:

8.5.2
8.3.0

Table of Contents

Administration Guide

9.4.0
9.4.0
9.2.0
9.1.0
8.8.0
8.7.0
8.6.0
8.5.2
8.3.0

Local Winbind Configuration

Note

FortiNAC is only capable of ntlm_auth in regards to winbind / mschap. Ensure your server is configured to allow.

Winbind is used to provide MSCHAPv2 authentication only. If using a different scheme, such as EAP-TTLS/PAP or EAP-TLS, configuration is not required.

Multiple Winbind instances can be created.

  1. Navigate to Network > RADIUS > Winbind to configure winbind settings.
  2. Service information can be edited from the main Winbind view while Winbind Domain Configuration Details can be configured by creating or selecting an existing winbind and selecting Edit.
  3. Configure using the table below.
Service Info

Field

Description
Toggle Service Status

Enable/Disable processing of MSCHAPv2 authentication requests
Note: FortiNAC must be joined to the domain before starting the Winbind service.
Status
  • Enabled Status: Displays
    • Enabled if the service is configured to run on boot.
    • Disabled if the service is not configured to run on boot
  • Running Status: Displays
    • Running if the service is running
    • Stopped if the service is not running
Domain Status
  • Winbind Domain: Displays
    • Not Joined if FortiNAC is not joined to any Active Directory through winbind
    • Joined if FortiNAC is joined to the domain
  • Domain Information: Displays the detailed information of the joined status of FortiNAC.
    • This information may still show the previous join information if FortiNAC is no longer joined to the domain. In this case, the Winbind Domain will display “Not Joined” and the “Last Machine account password changed” date will show 1969 or 1970.
    • Details & Logs
    • Service Status: Displays full details of the service status.
      • Warnings such as ‘Unknown value ‘xxxxxx’ in section ‘yyyyyy’ can be ignored.

    • Service Log: Winbind log output

    • Systemd Log: Systemd journal output. Useful if winbind will not start for some reason.
    Winbind Domain Configuration Details

    Field

    Description

    Name

    		 Unique name used to identify the configuration. Only alphanumeric characters and underscore are allowed.

    Local NetBIOS Name

    NetBIOS name by which the FortiNAC Samba server is known. For High Availability configurations, this is the primary FortiNAC Samba server.

    Example: FortiNAC FQDN = hostname.corp.example.com, Local NetBIOS Name = "HOSTNAME"

    Note: the maximum length for a NetBIOS name is 15 characters.

    Secondary (HA) NetBIOS Name

    For FortiNAC High Availability configurations. NetBIOS name by which the secondary FortiNAC Samba server is known.

    Example: FortiNAC FQDN = hostname.corp.example.com, Local NetBIOS Name = "HOSTNAME"

    Note: the maximum length for a NetBIOS name is 15 characters.

    If High Availability is not used, this field is left blank.

    Domain NetBIOS Name

    		 NetBIOS name of your domain. This is the subdomain of the DNS domain name.
    Examples:
    Domain Controller Hostname = dc01.example.com, Domain NetBIOS Name = "EXAMPLE"
    Domain Controller Hostname = dc01.corp.example.com, Domain NetBIOS Name = "CORP"

    Kerberos Realm Name

    The DNS-style domain name.
    Example: “example.com”

    Domain Controller Hostname

    The name or address of the Active Directory domain controller to use to authenticate.
    Example: “dc01.example.com”

    Note: One server is allowed per domain.

    Log Level

    		The log level for the Winbind service. Recommended value is “none”.

    Join Domain

    In order for Winbind authentication to work, FortiNAC must be joined to the domain. Configure the credentials for the account FortiNAC will use to join.

    • Username: User name FortiNAC uses to join the domain. Examples: trusted_user or trusted_user@example.com

    • Password: Password FortiNAC uses to join the domain

    • Keytab file: Select and upload a keytab file. This allows AD joins without needing to type in the admin account password for use by both RADIUS MSCHAPv2 authentication and Portal authentication using Kerberos.
    Previous
    Next

    Local Winbind Configuration

    Note

    FortiNAC is only capable of ntlm_auth in regards to winbind / mschap. Ensure your server is configured to allow.

    Winbind is used to provide MSCHAPv2 authentication only. If using a different scheme, such as EAP-TTLS/PAP or EAP-TLS, configuration is not required.

    Multiple Winbind instances can be created.

    1. Navigate to Network > RADIUS > Winbind to configure winbind settings.
    2. Service information can be edited from the main Winbind view while Winbind Domain Configuration Details can be configured by creating or selecting an existing winbind and selecting Edit.
    3. Configure using the table below.
    Service Info

    Field

    Description
    Toggle Service Status

    Enable/Disable processing of MSCHAPv2 authentication requests
    Note: FortiNAC must be joined to the domain before starting the Winbind service.
    Status
    • Enabled Status: Displays
      • Enabled if the service is configured to run on boot.
      • Disabled if the service is not configured to run on boot
    • Running Status: Displays
      • Running if the service is running
      • Stopped if the service is not running
    Domain Status
  • Winbind Domain: Displays
    • Not Joined if FortiNAC is not joined to any Active Directory through winbind
    • Joined if FortiNAC is joined to the domain
  • Domain Information: Displays the detailed information of the joined status of FortiNAC.
    • This information may still show the previous join information if FortiNAC is no longer joined to the domain. In this case, the Winbind Domain will display “Not Joined” and the “Last Machine account password changed” date will show 1969 or 1970.
    • Details & Logs
    • Service Status: Displays full details of the service status.
      • Warnings such as ‘Unknown value ‘xxxxxx’ in section ‘yyyyyy’ can be ignored.

    • Service Log: Winbind log output

    • Systemd Log: Systemd journal output. Useful if winbind will not start for some reason.
    Winbind Domain Configuration Details

    Field

    Description

    Name

    		 Unique name used to identify the configuration. Only alphanumeric characters and underscore are allowed.

    Local NetBIOS Name

    NetBIOS name by which the FortiNAC Samba server is known. For High Availability configurations, this is the primary FortiNAC Samba server.

    Example: FortiNAC FQDN = hostname.corp.example.com, Local NetBIOS Name = "HOSTNAME"

    Note: the maximum length for a NetBIOS name is 15 characters.

    Secondary (HA) NetBIOS Name

    For FortiNAC High Availability configurations. NetBIOS name by which the secondary FortiNAC Samba server is known.

    Example: FortiNAC FQDN = hostname.corp.example.com, Local NetBIOS Name = "HOSTNAME"

    Note: the maximum length for a NetBIOS name is 15 characters.

    If High Availability is not used, this field is left blank.

    Domain NetBIOS Name

    		 NetBIOS name of your domain. This is the subdomain of the DNS domain name.
    Examples:
    Domain Controller Hostname = dc01.example.com, Domain NetBIOS Name = "EXAMPLE"
    Domain Controller Hostname = dc01.corp.example.com, Domain NetBIOS Name = "CORP"

    Kerberos Realm Name

    The DNS-style domain name.
    Example: “example.com”

    Domain Controller Hostname

    The name or address of the Active Directory domain controller to use to authenticate.
    Example: “dc01.example.com”

    Note: One server is allowed per domain.

    Log Level

    		The log level for the Winbind service. Recommended value is “none”.

    Join Domain

    In order for Winbind authentication to work, FortiNAC must be joined to the domain. Configure the credentials for the account FortiNAC will use to join.

    • Username: User name FortiNAC uses to join the domain. Examples: trusted_user or trusted_user@example.com

    • Password: Password FortiNAC uses to join the domain

    • Keytab file: Select and upload a keytab file. This allows AD joins without needing to type in the admin account password for use by both RADIUS MSCHAPv2 authentication and Portal authentication using Kerberos.
    Previous
    Next