Technical Tip: How to configure secure LDAPS communication with FortiNAC

Some environments may require secure LDAPS communication with FortiNAC.

A few things need to be taken into consideration before switching the LDAP 'Security Protocol:' 'SSL'.

• Connect by name is selected in the LDAP Server configuration under System -> Settings -> Authentication -> LDAP.
• Name matches the domain controller certificate CN name under System -> Settings -> Authentication -> LDAP.
  
• FortiNAC can resolve and reach the domain controller FQDN:

ping DC1.labdc.local

• In most cases, FortiNAC automatically imports the certificate it needs to communicate with the domain controller.
• However, if this is not the case, use the steps below to import the certificate to the FortiNAC keystore.

Instructions to import the certificate:

1. Assume that the LDAP certificate has already been exported from the domain controller.
   
   

2. Copy from the certificate from the remote SCP server:
   
   

scp username@<remote-scp>:/copy/from/file /paste/directory

fnac-f:~$ execute enter-shell

fnac-f:~$ scp root@192.168.108.40:/tmp/labdc-DC1-cert.cer /home/admin

The authenticity of host '192.168.108.40 (192.168.108.40)' can't be established.

ED25519 key fingerprint is SHA256:cy8+.

This key is not known by any other names

Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

Warning: Permanently added '192.168.108.40' (ED25519) to the list of known hosts.

root@192.168.108.40's password:

labdc-DC1-cert.cer                           100% 1577 2.5MB/s 00:00

3. Confirm that the certificate was successfully copied to the /home/admin directory:
                                               

fnac-f:~$ cd /home/admin/

fnac-f:~$ ll

total 24

4 drwx------ 2 admin admin 4096 Oct 24 12:12 .ssh/

4 -rw-r--r-- 1 admin admin 1577 Oct 24 12:12 labdc-DC1-cert.cer

4. Now import the certificate to the FortiNAC keystore using the following password ^8Bradford%23.
                                                                                         

fnac-f:~$ keytool -import -trustcacerts -alias ldap_client -file /home/admin/labdc-DC1-cert.cer -keystore .keystore

Enter keystore password:

Re-enter new password:

Trust this certificate? [no]:  yes

Certificate was added to keystore

fnac-f:~$

5. Now, verify that the certificate was imported successfully, navigate to the/home/admin directory, and enter the following command:
                                                                     

fnac-f:~$ keytool -list -v -keystore .keystore

Enter keystore password:    <---- It is necessary to enter the ^8Bradford%23 password.

A snip of the output below

Keystore type: jks

Keystore provider: SUN

Your keystore contains 1 entry

Alias name: ldap_client

Creation date: Oct 24, 2024

Entry type: trustedCertEntry

Owner:

Issuer: CN=labdc-DC1-CA, DC=labdc, DC=local

6. Restart FortiNAC to clear any Cached LDAP sessions.
   
   

    

7. Now navigate to System -> Settings -> Authentication -> LDAP and verify the configuration.           

Note: In an HA configuration, follow the same steps on the secondary FortiNAC. At the moment, certificates are not synced by design; they need to be installed on the server, not in the cluster. This procedure can be accomplished without failover to the secondary device.

Failover control takes around 10 to 15 minutes to be completed.

Related articles:

• Technical Note: LDAP server credential validation fails
• Troubleshooting Tip: Unable to connect to LDAP server using the SSL protocol
  
• Technical Note: LDAP server SSL and TLS connections require trusted name
  
• Technical Tip: Best practices for LDAP configuration