Create a Post
Showing results for 
Search instead for 
Did you mean: 

RADIUS Authentication problems with some Domains



In our company, we've got a MultiDomain Server with many domains inside it and I'm facing a really strange problem ...

Today, I've configured the access via a Radius Server (FortiAuthenticator), which is NOW redirecting the authentication requests to a Domain Controller. Furthermore, before today, we could enter the MDS using local users placed on the FortiAuthenticator. Let's say I've just added a new step between the FortiAuthenticator and the Domain Controller, before that, the authentication was just made by the FortiAuthenticator (configured as a Radius Server in the MDS).

Additionally, in our company we've got a HA solution based on an Active-Passive nodes, and two environments, lets call them North and South. Here is the thing, when I access the MDS with my Domain Controller username I can log into the Northern Nodes, but not into the Southern Nodes. In stead I got prompted with "Failed to connect to the server ...". Am I missing something? Is this a network problem, routing, firewalls... ? I don't really know how the authentication flows, so It might be.

Thank you!!!



0 Kudos
2 Replies

Your description is a little confusing.
So you have two MDS environments you're referring to as North and South.
They are set to authenticate via RADIUS to FortiAuthenticator which sounds like is now talking to Active Directory.
When you use your AD account on North, it's fine, but on South, it's not, and you get the "Failed to connect to server" message.

If it's SmartConsole you're seeing that in, make sure you have connectivity on TCP ports 443, 18191, and 19009 to the relevant IP addresses.
Without that, nothing will authenticate.
Then I would check for RADIUS packets from the South modes towards FortiAuthenticator.
Then of course check FortiAuthenticator to see if/how it authenticated the user,
0 Kudos

Sorry If my description of the problem is a little bit confusing, this environment is itself!

I'll clarify the matter: I've got one MDS, from where I can connect to every single domain, no matter if it's placed on north or south.

The RADIUS part you explain on your post is right but I want to add that FortiAuthenticator is talking to the AD, and also it allows you to authenticate via local users (user created locally into the FortiAuthenticator), at the same time.

Now that this part is "clear", I'm able to authenticate to every domain, both north and south, using my username created locally on the FortiAuthenticator, but when I access the MDS through my "remote" username, placed on the AD, I'm able to authenticate and log into the North Domains only.

I'll check all the communications again and see if I'm missing something,

Thank you very much for your reply!

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events