New Member

Question

VPN with LDAP authentication

Forum|Forum|8 years ago
July 7, 2017
1 reply
12132 views

Hello!

I'm looking for the best migration VPN service for remote users to fortigate. All remote users have been added to special group in AD. I have several domain controllers in three sites.

There is no difference for me to use l2tp/forticliient ssl/forticliient ipsec.

The first problem i've found - ms-chapv2 is requed to change password in AD

the second problem - two ldap servers can't be added to vpn policy to validate permission of remote access. So vpn is not working at all if i have several domain controller and the one is in maintenance.

the third problem - fsso user groups cannot have remote vpn access

the 4-th problem - l2tp can use pap only with ldap authentication

the 5-th problem - if i use radius - how shall i create users in firewall policies later to permit traffic?

So that is best practice to implement remote vpn access to one AD usergroup?

Fortigate 300d, 5.6

Toshi_Esumi

SuperUser

I have a comment on the client side or the protocol. Depending on where remote users are connecting from, I found some public/hotel WiFi internet were blocking IPSec. L2TP is not encrypted. So SSL VPN over TCP seems to be the best option if those are concerns.

emnoc

New Member

The first problem i've found - ms-chapv2 is requed to change password in AS the second problem - two ldap servers can't be added to vpn policy to validate permission of remote access. So vpn is not working at all if i have several domain controller and the one is in maintenance. the third problem - fsso user group cannot have remote vpn access the 4-th problem - l2tp can use pap only with ldap authentication the 5-th problem - if i use radius - how shall i create users in firewall policies later to permit traffic?

#1 what is "AS"

#2 that's incorrect, you apply the ldap-server in a group

#3 Not sure about that one, FSSO should not control a use VPN availability can you explain what you mean by that

#4 that might be correct but I believed I've used l2tp/ipsec wit ms-chap

#5 this make no sense, the fwpolicy will have the group define and that user group wil have the LDAP authen set.

e.g ( a sslvpn policy )

config firewall policy edit 5 set srcintf "ssl.root" set dstintf "lan" set srcaddr "remote_all" set dstaddr "Internal01" "Internal02" set action accept set schedule "always" set service "COMMON1" "ALL_DC" "ALL_SAT_SRVCS" set groups "GROUP01" next end config user group edit "GROUP01" set member "SERVER10" "SERVER00" config match edit 1 set server-name "SERVER10" set group-name "CN=RemoteWarrier,CN=Users,DC=example,DC=com" next edit 2 set server-name "SERVER20" set group-name "CN=RemoteWarrier,CN=Users,DC=example,DC=com" next end next end

Roman_TrenevAuthor

New Member

emnoc wrote:
#1 what is "AS"

sorry, AD. i've edited the 1st post already.

emnoc wrote:
#2 that's incorrect, you apply the ldap-server in a group

I haven't found how several ldap-server can be added to one group.. The one way i've found is to create a firewall user groups and add each AD group several times via each ldap-server.

emnoc wrote:
#3 Not sure about that one, FSSO should not control a use VPN availability can you explain what you mean by that

When FSSO is being configures you can add there several fsso agents in ONE fortigate object FSSO. It could be nice alternative to use ldap (

emnoc wrote:
#4 that might be correct but I believed I've used l2tp/ipsec wit ms-chap

Please read the manual, page 95

http://docs.fortinet.com/...-authentication-56.pdf

For PPTP, L2TP, and IPsec VPN chap is not supported for LDAP.

emnoc wrote:
#5 this make no sense, the fwpolicy will have the group define and that user group wil have the LDAP authen set.

Do you mean use ldap user groups in FW policies and anything else in VPN? I don't think it's conveniently (

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded