Fortinet black logo

Administration Guide

Realms

Realms

Realms allow multiple domains to authenticate to a single FortiAuthenticator unit. LDAP, RADIUS, and SAML remote servers are supported. Each RADIUS realm is associated with a name, such as a domain or company name, that is used during the login process to indicate the remote (or local) authentication server on which the user resides.

For example, the username of the user PJFry, belonging to the company P_Express, would become any of the following, depending on the selected format:

  • PJFry@P_Express
  • P_Express\PJFry
  • P_Express/PJFry

The FortiAuthenticator uses the specified realm to identify the back-end RADIUS, LDAP, or SAML authentication server(s) used to authenticate the user.

Acceptable realms can be configured on a per RADIUS server client basis. See Realms.

To manage realms, go to Authentication > User Management > Realms. The following options are available:

Create New

Select to create a new realm.

Delete

Select to delete the selected realm or realms.

Edit

Select to edit the selected realm.

Name

The names of the realms.

User Source

The source of the users in the realms.

Chained token authentication with remote RADIUS server

Available when User source is set to an LDAP server. Enable from the dropdown menu to chain token authentication with a RADIUS server.

Restrict authentication to imported user account only

Available when User source is set as LDAP, RADIUS, or SAML servers. Enable to only allow remote authentications for imported remote user accounts.

To create a new realm:
  1. From the realms list, select Create New.
  2. Enter a Name for the realm.
    The realm name may only contain letters, numbers, periods, hyphens, and underscores. It cannot start or end with a special character.
  3. Select the User source for the realm from the dropdown menu. The options include Local users, or from specific RADIUS, LDAP, or SAML servers.
  4. Enable Chained token authentication with remote RADIUS server. Note that this option is only available when selecting a remote LDAP server as the User source. Chained authentication provides the ability to chain two different authentication methods together so that, for example, a two-factor authentication RSA solution can validate passcodes via RADIUS.
  5. Enable Restrict authentication to imported user account only. Note that this option is only available when selecting a remote LDAP, RADIUS, or SAML servers as the User Source. The option provides the ability to only allow remote authentications for imported remote user accounts.
  6. Select OK to create the new realm.

Realms

Realms allow multiple domains to authenticate to a single FortiAuthenticator unit. LDAP, RADIUS, and SAML remote servers are supported. Each RADIUS realm is associated with a name, such as a domain or company name, that is used during the login process to indicate the remote (or local) authentication server on which the user resides.

For example, the username of the user PJFry, belonging to the company P_Express, would become any of the following, depending on the selected format:

  • PJFry@P_Express
  • P_Express\PJFry
  • P_Express/PJFry

The FortiAuthenticator uses the specified realm to identify the back-end RADIUS, LDAP, or SAML authentication server(s) used to authenticate the user.

Acceptable realms can be configured on a per RADIUS server client basis. See Realms.

To manage realms, go to Authentication > User Management > Realms. The following options are available:

Create New

Select to create a new realm.

Delete

Select to delete the selected realm or realms.

Edit

Select to edit the selected realm.

Name

The names of the realms.

User Source

The source of the users in the realms.

Chained token authentication with remote RADIUS server

Available when User source is set to an LDAP server. Enable from the dropdown menu to chain token authentication with a RADIUS server.

Restrict authentication to imported user account only

Available when User source is set as LDAP, RADIUS, or SAML servers. Enable to only allow remote authentications for imported remote user accounts.

To create a new realm:
  1. From the realms list, select Create New.
  2. Enter a Name for the realm.
    The realm name may only contain letters, numbers, periods, hyphens, and underscores. It cannot start or end with a special character.
  3. Select the User source for the realm from the dropdown menu. The options include Local users, or from specific RADIUS, LDAP, or SAML servers.
  4. Enable Chained token authentication with remote RADIUS server. Note that this option is only available when selecting a remote LDAP server as the User source. Chained authentication provides the ability to chain two different authentication methods together so that, for example, a two-factor authentication RSA solution can validate passcodes via RADIUS.
  5. Enable Restrict authentication to imported user account only. Note that this option is only available when selecting a remote LDAP, RADIUS, or SAML servers as the User Source. The option provides the ability to only allow remote authentications for imported remote user accounts.
  6. Select OK to create the new realm.