Fortinet has multiple authentication solutions in their Fortigate and FortiAuthenticator products, but deciding which solution is best for each environment can be difficult. We'll go over the different options in this post.
Authentication methods
FG with Captive Portal
Maintaining consistency between both authentications can be complex on some networks, so Fortinet has the following tools depending on scenarios.
In any case, keep in mind that FortiAuthenticatior will facilitate deployment in environments with the following conditions.
Authentication methods
FG with Captive Portal
This is open authentication (not Transparent), but no infrastructure is required and can even work without LDAP or RADIUS. Recommended for guest networks or low infrastructure environments.
FG con LDAP Polling
FG con LDAP Polling
It is the most basic solution of SSO, only the firewall asks LDAP to check the users name. It has the advantage of not needing to deploy agents, the disadvantage is limited to very large or complex environments, so it is often used in small spaces.
FG with DC-Agent (TS-Agent and other agents)
FG with DC-Agent (TS-Agent and other agents)
In this deployment, specific Agents are activated in Domain Controllers and Terminal Server to control users' mobility. The Collector (distributed on a server or Windows PC) is responsible for collecting all users' information and submitting it to Fortigate. With this solution, we can handle 80% or more roaming requirements of normal projects that are not overly complex (one or two domains).
FAC as a Collector
Adding FortiAuthenticator will allow us to give more details on the management of Domains, Multiple Fortigate Clusters and will confuse these users with other resources such as LDAP, RADIUS or another application that manages their authentication. It will also allow guests to add tools that will facilitate the management of 2FA-tokens.
We can cover any authentication method with these 4 solutions, but we still need to deal with the roaming issue. In some networks, computers authenticate in one environment (for example, LAN) and then perform another authentication in another environment (for example, WiFi).
Maintaining consistency between both authentications can be complex on some networks, so Fortinet has the following tools depending on scenarios.
In any case, keep in mind that FortiAuthenticatior will facilitate deployment in environments with the following conditions.
- 2FA in general.
- Complex multi-domain environments.
- Environments with several auth sources (For example AD + OpenLDAP + RADIUS/802.1X)
- Environments with a non-standard authentication (for example, a non-LDAP/RADIUS source such as SAML, Citrix, Google, O365 vb.)
- Environments with mobility in which an immediate roaming between two authentications is needed.
Yorumlar
Yorum Gönder