Skip to main content
njk1985
njk1985
New Member
April 4, 2026
Question

FortiNAC Captive Portal with LDAP

  • April 4, 2026
  • 2 replies
  • 300 views
Hello,

 I am having difficulty to understanding how the captive portal works with LDAP authentication with FortiNAC, as I could not find any clear documentation for this.

Could anyone help me understand the workflow and the steps involved in user authentication using LDAP?

So far, I have completed the following steps, but it is not working:

  1. Configured LDAP integration — it appears to be working

  2. Changed the standard user login method to LDAP.

I am not sure if there are any additional steps required. later testing I was able to resolve the issue with help from the community.

What I did:
I initially added LDAP to FortiNAC and configured the standard user login type to use LDAP. However, that alone was not sufficient. Winbind is also required—without it, the setup does not function properly.

Key Notes:

  1. Ensure FortiNAC is added as a computer object in Active Directory.

  2. If you are using an LDAP group for GUI administrator access, delete and recreate the LDAP user group with administrator privileges profile mapping. By default, FortiNAC assigns the group as a user type, so it must be manually corrected.

Question : I am doing LDAP user authentication , why should i add winbind here ?

2 replies

ebilcari
Staff
ebilcari
Staff
April 6, 2026

Winbind is used only for MSCHAPv2 and should not be involved in LDAP credential validation, Technical Tip: MSCHAPv2 authentication, join FortiNAC in domain and checks

Emirjon
    njk1985
    njk1985Author
    New Member
    April 6, 2026

    What I am doing here Fortigate SSID redirect to Captiva Portal(standard user) login Page.

    My understand here . Portal --User enter credentials--FortiNAC(not fortigate) validate against LDAP -- FortiNAC returns RADIUS Access-Accept / Reject

     

    As you said We do not need win-bind here but my lab its not working with out winbind, so I might be missed some step in the configuration ,I do not know 

    ebilcari
    Staff
    ebilcari
    Staff
    April 7, 2026

    The Wi‑Fi hosts are authenticated via RADIUS using MAC authentication, but the user credentials used to register the host from the portal are validated directly from FNAC to the LDAP server. The FGT is not involved in user authentication, and RADIUS is not used for the user credential check. Check again the login types and make sure that they are set to LDAP:

    login type.png

     

    Something else you could check is the use of Domain Name in Directory configuration. If a domain is set there, the users need to use the full domain when logging in through the portal.

    Emirjon
      njk1985
      njk1985Author
      New Member
      April 9, 2026

      I have already verified both options you suggested. I changed the standard user login type to LDAP and configured the domain settings, but it didn’t work.

      The issue was only resolved after I configured Winbind.

      My lab setup is very simple. Since Captive Portal with LDAP involves a lot of configuration, I wanted to minimize the scope of the problem. I enabled and configured LDAP based admin authentication, but that also didn’t work. That’s when I realized LDAP itself was not functioning correctly.

      It started working immediately after configuring Winbind.

      So I have a question: why is Winbind required in this scenario? or I am missing something

        Terms & ConditionsAccessibility statement