Skip to main content
VinayHM
Staff
VinayHM
September 26, 2025

Technical Tip: LDAP users logging into the captive portal without password

  • September 26, 2025
  • 0 replies
  • 443 views
Description This article describes the reason for users authenticating the captive portal without a password.
Scope FortiGate.
Solution

On the FortiGate, a policy-based captive portal has been configured for LDAP users, and users can authenticate without entering a password.

 

This is not an issue with the FortiGate, as the user management is handled by Active Directory (AD). Packet captures indicate that the LDAP server is permitting users to log in to the captive portal without requiring a password.

 

To enable debugging:

 

diagnose debug disable
diagnose debug reset
diagnose debug app fnbamd -1

diagnose debug en

50 12.145419 0.000000000 10.10.60.1 10.10.60.37 TCP 74 15876 → 389 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM TSval=618274238 TSecr=0 WS=8192
51 12.145872 0.000453000 10.10.60.37 10.10.60.1 TCP 66 389 → 15876 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM
52 12.145883 0.000011000 10.10.60.1 10.10.60.37 TCP 54 15876 → 389 [ACK] Seq=1 Ack=1 Win=32768 Len=0
53 12.145918 0.000035000 10.10.60.1 10.10.60.37 LDAP 97 bindRequest(1) "uu\administrator" simple
54 12.149428 0.003510000 10.10.60.37 10.10.60.1 LDAP 76 bindResponse(1) success
55 12.149436 0.000008000 10.10.60.1 10.10.60.37 TCP 54 15876 → 389 [ACK] Seq=44 Ack=23 Win=32768 Len=0
56 12.149449 0.000013000 10.10.60.1 10.10.60.37 LDAP 128 searchRequest(2) "DC=uu,DC=local" wholeSubtree
57 12.150186 0.000737000 10.10.60.37 10.10.60.1 LDAP 357 searchResEntry(2) "CN=fortitest,OU=UCN,DC=uu,DC=local" | searchResRef(2) | searchResRef(2) | searchResRef(2) | searchResDone(2) success [1 result]
58 12.150224 0.000038000 10.10.60.1 10.10.60.37 LDAP 133 bindRequest(3) "CN=fortitest,OU=UCN,DC=uu,DC=local" simple
59 12.165278 0.015054000 10.10.60.37 10.10.60.1 TCP 54 389 → 15876 [ACK] Seq=326 Ack=197 Win=2102016 Len=0
60 12.188295 0.023017000 10.10.60.37 10.10.60.1 LDAP 76 bindResponse(3) success <----- User getting successful bind response.
61 12.188602 0.000307000 10.10.60.1 10.10.60.37 LDAP 164 searchRequest(4) "CN=fortitest,OU=UCN,DC=uu,DC=local" baseObject

 

To disable debugging:

 

diagnose debug reset

diagnose debug disable

 

Review the LDAP configuration to ensure that it does not allow users to log in without a password. As the issue is with the LDAP AD server.

Related articles: 
Technical Tip: How to configure FortiGate to use an LDAP server

Technical Tip: Captive portal and LDAP authentication
Terms & ConditionsAccessibility statement