I have an issue to integrate Fortinet and Authentication Manager works fine in our environment.
The problem arise when we want to discriminate the rights of users basing on the Active Directory Group they belong to.
The flow is described in the following:
- Fortinet sends an Access Request to the Authentication Manager, containing user's login data
- Authentication Manager verifies the correctness of userid, password and token.
- If it's all ok, Authentication Manager retrieves on the Active Directory the Group the user belongs to and sends to the Fortinet firewall the Access Accept containing the standard "memberOf" attribute, but the Fortinet firewall is expecting the group in an attribute called "Fortinet-Group-Name".
We need that Authentication Manager sends the group information inside an attribute called " Fortinet-Group-Name" without losing the automatic synchronization with AD (we tested that if we create a custom attribute called "Fortinet-Group-Name" inside the Authentication Manager, then we experienced the losing of automatic synchronization with Active Directory, and it is not acceptable in our environment).
The problem is that they have to use the default Fortinet attribute which has an attribute_number =1, and we can only create custom attributes with attribute_number greater than 64 by Authentication Manager GUI.
This mean it to edit the "Fortinet-Group-Name" attribute in the internal AM database in order to edit the attribune number with 1 value.
Thanks for collaboration