Technical Tip: FortiOS LDAP and WiFi WPA/WPA2, enterprise security mode
Description
This article describes which LDAP server to use to authenticate WiFi clients using WPA and WPA2 security protocols.
Scope
LDAP is supported with Wi-Fi clients, but not with every LDAP server. The LDAP server must allow the FortiGate to remotely retrieve the WiFi user's password in clear text.
A packet capture of LDAP traffic shows the LDAP request for the user password (using multiple hashing codes):
Windows Servers do not respond to clear-text password requests; only group membership is returned:
The technical reason for this is that WPA and WPA2 security protocols use a variety of password hashing schemes that are not compatible with Windows Server's LDAP.
OpenLDAP is a free, open-source implementation of the LDAP protocol. It offers greater flexibility in terms of configuration and is amenable to adaptations required for various authentication needs, such as the unique requirements of WPA and WPA2:
-
Clear Text Password Retrieval: OpenLDAP can be configured to allow specific devices, like FortiGate, to retrieve clear-text passwords when necessary. This capability facilitates the password hashing required for WPA and WPA2 authentication.
-
Compatibility with WPA/WPA2: OpenLDAP can be tailored to work seamlessly with WPA and WPA2 security protocols, ensuring secure and consistent user authentication.
Conclusion:
For organizations looking to integrate FortiOS-based Wi-Fi networks using WPA or WPA2 security protocols with LDAP authentication, OpenLDAP serves as a viable and recommended choice due to its adaptability and compatibility.
LDAP logs can be captured on the FortiGate for troubleshooting:
diagnose debug disable
diagnose debug reset
diagnose debug console timestamp enable
diagnose debug enable
diagnose debug application fnbamd -1
To stop this debug type:
diagnose debug application fnbamd 0
diagnose debug disable
diagnose debug reset
Related document: