Configuring LDAP and RADIUS Authentication

FortiRecorder supports both LDAP and RADIUS configuration.

Configuring RADIUS authentication

Except for local users, FortiRecorder supports RADIUS user authentication. RADIUS authentication profiles are used when adding user accounts.

To configure a RADIUS query

Go to System > Authentication > RADIUS.
Select New.
Configure the following settings:

Setting Name	Description
Profile name	Enter a name (such as RADIUS-query) that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.
Server name/IP	Enter the fully qualified domain name (FQDN) or IP address of the RADIUS server that will be queried when an account referencing this profile attempts to authenticate.
Server port	Enter the port number on which the authentication server listens for queries. The IANA standard port number for RADIUS is 1812.
Protocol	Select which authentication method is used by the RADIUS server: Password Authentication Challenge Handshake Authentication (CHAP) Microsoft Challenge Handshake Authentication (CHAP) Microsoft Challenge Handshake Authentication V2 (CHAP version 2) Default Authentication Scheme
NAS IP/Called station ID	Type the NAS IP address or Called Station ID (for more information about RADIUS Attribute 31, see RFC 2548 Microsoft Vendor-specific RADIUS Attributes). If you do not enter an IP address, the IP address of the FortiRecorder network interface used to communicate with the RADIUS server will be applied.
Server secret	Type the secret required by the RADIUS server. It must be the same as the secret that is configured on the RADIUS server.
Server requires domain	Enable if the authentication server requires that users authenticate using their full email address (such as user1@example.com) and not just the user name (such as user1).

Select OK,

To test the query, select this profile when configuring an account, then attempt to authenticate using that account’s credentials.

Configuring LDAP Authentication

FortiRecorder supports LDAP user authentication. You will use the LDAP authentication profiles when you add user accounts.

To configure an LDAP query

Go to System > Authentication > LDAP.
Select New.

Configure the following settings:

Setting Name	Description
Profile name	Type a name (such as LDAP-query) that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.
Server name/IP	Type the fully qualified domain name (FQDN) or IP address of the LDAP or Active Directory server that will be queried when an account referencing this profile attempts to authenticate.
Fallback server name/IP	Type the fully qualified domain name (FQDN) or IP address of a secondary LDAP or Active Directory server, if any, that can be queried if the primary server fails to respond according to the threshold configured in “Timeout” on page 9.
Port	Type the port number on which the authentication server listens for queries. The IANA standard port number for LDAP is 389. LDAPS (SSL/TLS-secured LDAP) is 636.
Use secure connection	If your directory server uses SSL to encrypt query connections, select SSL then upload the certificate of the CA that signed the LDAP server’s certificate (see “Uploading trusted CAs’ certificates”).
Base DN	Enter the distinguished name (DN) of the part of the LDAP directory tree within which FortiRecorder will search for user objects, such as ou=People,dc=example,dc=com. User objects should be child nodes of this location.
Bind DN	Enter the bind DN, such as cn=FortiRecorderA,dc=example,dc=com, of an LDAP user account with permissions to query the Base DN. Leave this field blank if you have enabled Allow unauthenticated bind.
Bind password	Enter the password of the Bind DN. Click Browse to locate the LDAP directory from the location that you specified in Base DN, or, if you have not yet entered a Base DN, beginning from the root of the LDAP directory tree. Browsing the LDAP tree can be useful if you need to locate your Base DN, or need to look up attribute names. For example, if the Base DN is unknown, browsing can help you to locate it. Before using, first configure Server name/IP, Use secure connection, Bind DN, Bind password, and then click Create or OK. These fields provide minimum information required to establish the directory browsing connection.
LDAP user query	Enter an LDAP query filter that selects a set of user objects from the LDAP directory. The query string filters the result set, and should be based upon any attributes that are common to all user objects but also exclude non-user objects. For example, if user objects in your directory have two distinguishing characteristics, their objectClass and mail attributes, the query filter might be: (& (objectClass=inetOrgPerson) (mail=$m)) where $m is the FortiRecorder variable for a user's email address. This option is pre-configured and read-only if you have selected from Schema any schema style other than User Defined. For details on query syntax, refer to any standard LDAP query filter reference manual.
Scope	Select which level of depth to query, starting from Base DN. One level — Query only the one level directly below the Base DN in the LDAP directory tree. Subtree — Query recursively all levels below the Base DN in the LDAP directory tree.
Derefer	Select when, if ever, to dereference attributes whose values are references. CS: References in a specific attribute, like mail:? Or any reference? Never — Do not dereference. Always — Always dereference. Search — Dereference only when searching. Find — Dereference only when finding the base search object. CS: Base DN?
User Authentication Options	Select how, if the query requires authentication, the FortiRecorder appliance will form the bind DN. The default setting is the third option: Search user and try bind DN. Try UPN or email address as bind DN — Select to form the user’s bind DN by prepending the user name portion of the email address ($u) to the User Principle Name (UPN, such as example.com). By default, the FortiRecorder appliance will use the mail domain as the UPN. If you want to use a UPN other than the mail domain, enter that UPN in the field named Alternative UPN suffix. This can be useful if users authenticate with a domain other than the mail server’s principal domain name. Try common name with base DN as bind DN — Select to form the user’s bind DN by establishing a common name to the base DN. CS: Base DN from User Query Options? Also enter the name of the user objects’ common name attribute, such as cn or uid into the field. Search user and try bind DN — Select to form the user’s bind DN by using the DN retrieved for that user by User Query Options.
Allow Access Control Attribute	Select this option to define the access control
Allow Admin Profile Attribute	Select this option to define the admin profile.
Notification Options	Select the “Allow notification attributes” option to enable notifications. FortiRecorder supports the following notifications: Email attribute: This attribute specifies the user’s email address for notifications. SMS profile attribute: This attribute specifies which SMS profile the user will use. The SMS profile attribute must match the name of the profile configured in FortiRecorder. SMS number attribute: This attribute specifies the user SMS number for notification. The number format must be the same as the number in the user entry settings. Method attribute: This attribute specifies the method used to notify a user. The two valid entries are “email” and “sms”. Embedded email images attribute: This attribute specifies whether images are included in email messages to the user. The two valid entries are “yes” and “no”.
Timeout	Type the number of seconds that the FortiRecorder appliance will wait for a reply to the query before assuming that the primary LDAP server has failed, and will therefore query the secondary LDAP server. The default value is 20.
Protocol version	Select the LDAP protocol version (either 2 or 3) used by the LDAP server.
Allow unauthenticated bind	Enable to allow unauthenticated bind.
Enable cache	Enable to cache LDAP query results. Caching LDAP queries can introduce a delay between when you update LDAP directory information and when the FortiRecorder appliance begins using that new information, but also has the benefit of reducing the amount of LDAP network traffic associated with frequent queries for information that does not change frequently. If this option is enabled but queries are not being cached, inspect the value of TTL. Entering a TTL value of 0 effectively disables caching.
TTL	Enter the amount of time, in minutes, that the FortiRecorder unit will cache query results. After the TTL has elapsed, cached results expire, and any subsequent request for that information causes the FortiRecorder appliance to query the LDAP server, refreshing the cache. The default TTL value is 1440 minutes (one day). The maximum value is 10080 minutes (one week). Entering a value of 0 effectively disables caching. This option is applicable only if is enabled.

Select Create.

To test the query, configure an account where this profile is used, then attempt to authenticate using that account’s credentials.
Alternatively, click the row to select the query, select Edit, then select Test LDAP Query. From the Select query type drop-down list, choose Authentication, then complete the Password and Mail address fields that appear. Select Test. After a few seconds, a dialog should appear to let you know that either the query succeeded, or the reason for its failure, such as a connectivity error.

Configuring LDAP and RADIUS Authentication

FortiRecorder supports both LDAP and RADIUS configuration.

Configuring RADIUS authentication

Except for local users, FortiRecorder supports RADIUS user authentication. RADIUS authentication profiles are used when adding user accounts.

To configure a RADIUS query

Go to System > Authentication > RADIUS.

Select New.

Configure the following settings:

Setting Name	Description
Profile name	Enter a name (such as RADIUS-query) that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.
Server name/IP	Enter the fully qualified domain name (FQDN) or IP address of the RADIUS server that will be queried when an account referencing this profile attempts to authenticate.
Server port	Enter the port number on which the authentication server listens for queries. The IANA standard port number for RADIUS is 1812.
Protocol	Select which authentication method is used by the RADIUS server: Password Authentication Challenge Handshake Authentication (CHAP) Microsoft Challenge Handshake Authentication (CHAP) Microsoft Challenge Handshake Authentication V2 (CHAP version 2) Default Authentication Scheme
NAS IP/Called station ID	Type the NAS IP address or Called Station ID (for more information about RADIUS Attribute 31, see RFC 2548 Microsoft Vendor-specific RADIUS Attributes). If you do not enter an IP address, the IP address of the FortiRecorder network interface used to communicate with the RADIUS server will be applied.
Server secret	Type the secret required by the RADIUS server. It must be the same as the secret that is configured on the RADIUS server.
Server requires domain	Enable if the authentication server requires that users authenticate using their full email address (such as user1@example.com) and not just the user name (such as user1).

Select OK,

To test the query, select this profile when configuring an account, then attempt to authenticate using that account’s credentials.

Configuring LDAP Authentication

FortiRecorder supports LDAP user authentication. You will use the LDAP authentication profiles when you add user accounts.

To configure an LDAP query

Go to System > Authentication > LDAP.

Select New.

Configure the following settings:

Setting Name	Description
Profile name	Type a name (such as LDAP-query) that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.
Server name/IP	Type the fully qualified domain name (FQDN) or IP address of the LDAP or Active Directory server that will be queried when an account referencing this profile attempts to authenticate.
Fallback server name/IP	Type the fully qualified domain name (FQDN) or IP address of a secondary LDAP or Active Directory server, if any, that can be queried if the primary server fails to respond according to the threshold configured in “Timeout” on page 9.
Port	Type the port number on which the authentication server listens for queries. The IANA standard port number for LDAP is 389. LDAPS (SSL/TLS-secured LDAP) is 636.
Use secure connection	If your directory server uses SSL to encrypt query connections, select SSL then upload the certificate of the CA that signed the LDAP server’s certificate (see “Uploading trusted CAs’ certificates”).
Base DN	Enter the distinguished name (DN) of the part of the LDAP directory tree within which FortiRecorder will search for user objects, such as ou=People,dc=example,dc=com. User objects should be child nodes of this location.
Bind DN	Enter the bind DN, such as cn=FortiRecorderA,dc=example,dc=com, of an LDAP user account with permissions to query the Base DN. Leave this field blank if you have enabled Allow unauthenticated bind.
Bind password	Enter the password of the Bind DN. Click Browse to locate the LDAP directory from the location that you specified in Base DN, or, if you have not yet entered a Base DN, beginning from the root of the LDAP directory tree. Browsing the LDAP tree can be useful if you need to locate your Base DN, or need to look up attribute names. For example, if the Base DN is unknown, browsing can help you to locate it. Before using, first configure Server name/IP, Use secure connection, Bind DN, Bind password, and then click Create or OK. These fields provide minimum information required to establish the directory browsing connection.
LDAP user query	Enter an LDAP query filter that selects a set of user objects from the LDAP directory. The query string filters the result set, and should be based upon any attributes that are common to all user objects but also exclude non-user objects. For example, if user objects in your directory have two distinguishing characteristics, their objectClass and mail attributes, the query filter might be: (& (objectClass=inetOrgPerson) (mail=$m)) where $m is the FortiRecorder variable for a user's email address. This option is pre-configured and read-only if you have selected from Schema any schema style other than User Defined. For details on query syntax, refer to any standard LDAP query filter reference manual.
Scope	Select which level of depth to query, starting from Base DN. One level — Query only the one level directly below the Base DN in the LDAP directory tree. Subtree — Query recursively all levels below the Base DN in the LDAP directory tree.
Derefer	Select when, if ever, to dereference attributes whose values are references. CS: References in a specific attribute, like mail:? Or any reference? Never — Do not dereference. Always — Always dereference. Search — Dereference only when searching. Find — Dereference only when finding the base search object. CS: Base DN?
User Authentication Options	Select how, if the query requires authentication, the FortiRecorder appliance will form the bind DN. The default setting is the third option: Search user and try bind DN. Try UPN or email address as bind DN — Select to form the user’s bind DN by prepending the user name portion of the email address ($u) to the User Principle Name (UPN, such as example.com). By default, the FortiRecorder appliance will use the mail domain as the UPN. If you want to use a UPN other than the mail domain, enter that UPN in the field named Alternative UPN suffix. This can be useful if users authenticate with a domain other than the mail server’s principal domain name. Try common name with base DN as bind DN — Select to form the user’s bind DN by establishing a common name to the base DN. CS: Base DN from User Query Options? Also enter the name of the user objects’ common name attribute, such as cn or uid into the field. Search user and try bind DN — Select to form the user’s bind DN by using the DN retrieved for that user by User Query Options.
Allow Access Control Attribute	Select this option to define the access control
Allow Admin Profile Attribute	Select this option to define the admin profile.
Notification Options	Select the “Allow notification attributes” option to enable notifications. FortiRecorder supports the following notifications: Email attribute: This attribute specifies the user’s email address for notifications. SMS profile attribute: This attribute specifies which SMS profile the user will use. The SMS profile attribute must match the name of the profile configured in FortiRecorder. SMS number attribute: This attribute specifies the user SMS number for notification. The number format must be the same as the number in the user entry settings. Method attribute: This attribute specifies the method used to notify a user. The two valid entries are “email” and “sms”. Embedded email images attribute: This attribute specifies whether images are included in email messages to the user. The two valid entries are “yes” and “no”.
Timeout	Type the number of seconds that the FortiRecorder appliance will wait for a reply to the query before assuming that the primary LDAP server has failed, and will therefore query the secondary LDAP server. The default value is 20.
Protocol version	Select the LDAP protocol version (either 2 or 3) used by the LDAP server.
Allow unauthenticated bind	Enable to allow unauthenticated bind.
Enable cache	Enable to cache LDAP query results. Caching LDAP queries can introduce a delay between when you update LDAP directory information and when the FortiRecorder appliance begins using that new information, but also has the benefit of reducing the amount of LDAP network traffic associated with frequent queries for information that does not change frequently. If this option is enabled but queries are not being cached, inspect the value of TTL. Entering a TTL value of 0 effectively disables caching.
TTL	Enter the amount of time, in minutes, that the FortiRecorder unit will cache query results. After the TTL has elapsed, cached results expire, and any subsequent request for that information causes the FortiRecorder appliance to query the LDAP server, refreshing the cache. The default TTL value is 1440 minutes (one day). The maximum value is 10080 minutes (one week). Entering a value of 0 effectively disables caching. This option is applicable only if is enabled.

Select Create.

To test the query, configure an account where this profile is used, then attempt to authenticate using that account’s credentials.

Alternatively, click the row to select the query, select Edit, then select Test LDAP Query. From the Select query type drop-down list, choose Authentication, then complete the Password and Mail address fields that appear. Select Test. After a few seconds, a dialog should appear to let you know that either the query succeeded, or the reason for its failure, such as a connectivity error.

Administration Guide

Configuring LDAP and RADIUS Authentication