Skip to main content
joebrug
joebrug
New Member
January 16, 2015
Solved

Authenticate to VPN SSL Portal via AD credentials?

  • January 16, 2015
  • 3 replies
  • 33229 views

Can you authenticate via an ldap user to the SSL web portal? Using 5.2.2 Forticlient. I just today set up the web portal, so something could definitely be misconfigured there. However, I created an SSL VPN Group, added the Domain Users group to it as a test from AD. Also created a local user called "test" and added it to that group.  I can log in as 'test' but not as any user of AD. 

    Best answer by neonbit

    When you create your usergroup ensure that you have the ldap server configured under 'Remote groups' and that the correct AD group is selected.

     

    You can always test your LDAP configuration and user credentials via the CLI using the diagnose test authserver ldap command.

     

    fortigate # diagnose test authserver ldap ad-ldap myusername m4hp@ssw0rd
    authenticate 'myusername' against 'ad-ldap' succeeded!
    Group membership(s) - CN=sslusers,OU=Groups,DC=domain,DC=com
                                      CN=Domain Users,CN=Users,DC=domain,DC=com

    3 replies

    neonbit
    neonbit
    New Member
    January 16, 2015

    Yes, you can use LDAP groups/users for your SSLVPN logins.

     

    First thing I would do is confirm that LDAP is configured correctly.

     

    1. Ensure that the common name identifier you have configured maps to the username format you use for the SSL login.

    2. When you click on Fetch DN you should be able to browse your LDAP structure

    3. Test should show up as successful

     

     

    neonbit
    neonbitAnswer
    New Member
    January 16, 2015

    When you create your usergroup ensure that you have the ldap server configured under 'Remote groups' and that the correct AD group is selected.

     

    You can always test your LDAP configuration and user credentials via the CLI using the diagnose test authserver ldap command.

     

    fortigate # diagnose test authserver ldap ad-ldap myusername m4hp@ssw0rd
    authenticate 'myusername' against 'ad-ldap' succeeded!
    Group membership(s) - CN=sslusers,OU=Groups,DC=domain,DC=com
                                      CN=Domain Users,CN=Users,DC=domain,DC=com

    joebrug
    joebrugAuthor
    New Member
    January 16, 2015

    ah-ha..

    using your cli test, I realized that using my username would fail authentication, but if I use my Full Name i.e. "John Doe" ldap allowed me to login. Is that because im using CN as the Common Name Identifier?

     

    barthur
    barthur
    New Member
    March 3, 2017

    How can you have a level of redundancy in the Windows Active Directory Authentication?

     

    Under "Remote Groups" can I add a second AD Server and that second server would respond if the first server didn't?

    simple1689
    simple1689
    New Member
    March 23, 2017

    I have mine setup for AD authentication. I am having an issue where adding my Domain Users are getting Permission Denied. However, my AD account, Administrator, all my test AD accounts can authenticate without issue. Doesn't matter what OU they are in. 

     

    In any case, here is my setup. 

     

    AD > Security Group > "SSL VPN Logins"

    AD > New User > fortinet (used for LDAP Bind below). 

     

    Fortigate 100d > Authentication > LDAP Servers > Successfully configured my connection using my 'fortinet' user to authenticate. Test connection is successful. 

     

    Fortinet 100d > User > User Groups > New, "SSL VPN Sec Group". 

    [ul]
  • Under Remote Groups > Create New > Remote Server, my LDAP Server > LDAP Groups, Located my "SSL VPN Logins" AD Group > Selected group and added > OK[/ul]

    Fortinet 100d > VPN > SSL > Settings > Authentication/Portal Mapping > Create New > Added the "SSL VPN Sec Group" for full access

     

    Fortinet 100d > Policy and Objects > Policy > IPv4 > ssl.root - LAN > Added Source: *, Group: Added "SSL VPN Sec Group", Destination: Local LAN, Schedule: Always, Service: All, Accept. 

     

    My issue again is that Domain Administrator, my AD test accounts, my AD account all authenticate without issue. When I add another Domain User (that may already be logged into a Domain Computer somewhere) gets "Permission Denied". I am trying to narrow down when Domain Users receive rights from a Security Group (immediately or when they relogin. If the later, does being logged on an existing computer somewhere stop Security Group permissions being applied)?

    • Terms & ConditionsAccessibility statement