DescriptionThis article describes how to integrate the remote authentication server when it is reachable via VPN.
SolutionConsider the below topology, where the remote authentication server [LDAP/RADIUS/FSSO/TACACS] with IP 192.168.1.10 is located behind FortiGate2.
Integrate the remote authentication server on FortiGate1.
FortiGate1 and FortiGate2 are connected via Site to Site VPN.
192.168.2.0/24 - - - - 192.168.2.1-FortiGate1 - - - - - Site to Site VPN - - - - - FortiGate2-192.168.1.1 - - - - 192.168.1.0/24
In these scenarios as there is VPN between 2 devices, set the “source-ip” as the FortiGate internal IP address if the server is on the other end of the tunnel.
So that a connection can be established successfully via VPN. And this is possible only via CLI.
Following is the configuration for the remote authentication server:
1) LDAP:config user ldap
edit LDAP-Server
set server 192.168.1.10
set source-ip 192.168.2.1
end
2) FSSO (the FSSO agent is configured across the tunnel):config user fsso
edit FSSO-Agent
set server 192.168.1.10
set source-ip 192.168.2.1
end
3) TACACS+:config user tacacs+
edit TACAS-Server
set server 192.168.1.10
set source-ip 192.168.2.1
end
4) RADIUS:config user radius
edit RADIUS-Server
set server 192.168.1.10
set source-ip 192.168.2.1
end
Note: If source-ip IS NOT configured, an “Server Unreachable” error will be seen.
