Authentication Sources and Access
In Authentication Sources and Access, you can control network access for different users and devices in your network. FortiSASE authentication controls system access by user group. By assigning individual users to the appropriate user groups, you can control each user’s access to network resources. You can define local users and remote users in FortiSASE. You can also integrate user accounts on remote authentication servers and connect them to FortiSASE.
The following summarizes the provisioning process for different user types on FortiSASE:
User type |
Provisioning process |
---|---|
LDAP |
Configure remote users over LDAP to easily integrate FortiSASE with a Windows Active Directory (AD) server or another LDAP server. You can invite users in one of the following ways:
See Configuring FortiSASE with an LDAP server for remote user authentication in SWG agentless mode. |
RADIUS |
Configure remote authentication with a RADIUS server. You can allow all users from the IdP or define a group in Configuration > Users. Send the invitation code to users using the Onboard Users button. See Configuring FortiSASE with a RADIUS server for remote user authentication. |
Single sign on (SSO) |
Configure an SSO connection with an authentication server such as Entra ID or Okta, where Entra ID or Okta is the identity provider (IdP) and FortiSASE is the service provider (SP). You can allow all users from the IdP or define a group in Configuration > Users. Send the invitation code to users using the Onboard Users button. See: |
Local |
Define user in Configuration > Users and send invitation to them directly. See Users. |
FortiSASE can connect to DNS, RADIUS, or LDAP servers with internal IP addresses or FQDNs if you set Access Type to Private in the RADIUS or LDAP server settings, internal servers are located behind a secure private access (SPA) hub, and the SPA hub in FortiSASE has been configured with BGP per overlay. Implicit and split DNS rules for VPN traffic configured with internal IP addresses work with SPA hubs configured with any BGP routing design. When the FortiSASE Endpoint Management Service uses AD servers with Groups & AD Users for endpoint profile assignments, these servers must use public IP addresses or publicly accessible FQDNs when configuring the Server address in the AD connection and may require some configuration or topology changes. |
The FortiSASE Endpoint Management Service does not support importing LDAP subdomains if you have already imported the LDAP parent domain previously into it. |
The Onboard Users button, which is available from the Remote User Management widget on the Status dashboard, allows you to send an email to users to invite them to FortiSASE. They can register their FortiClient to FortiClient Cloud by using the instructions in the invitation email. You must still provision users via one of the aforementioned methods to give them access to VPN and other FortiSASE resources.