Skip to main content
Fabio
Fabio
Explorer III
May 25, 2022
Solved

WPA2 Enterprise LDAP authentication

  • May 25, 2022
  • 6 replies
  • 17589 views

Hello everyone, 

I would like to performe an authentication in wifi WPA2 Enterprise environment, not with a Radius server but directly to LDAP server ( a OPEN LDAP ). 

I create a local group with LDAP server but not working . In an article in the 2011 told that was impossible cause the WPA2 Enterprise protocol with Windows AD LDAP but was right for OPEN LDAP ( https://community.fortinet.com/t5/FortiAP/Technical-Tip-FortiOS-LDAP-and-WiFi-WPA-WPA2-enterprise-security/ta-p/192530?cmd=displayKC&dialogID=41242937&docType=kc&docTypeID=DT_KCARTICLE_1_1&externalId=FD33251&sliceId=1&stateId=0%200%2041244958 ) 

I have another SSID that works with WINDOWS AD LDAP but in a Radius Server install in a Network Policy Server on a Windows Server.

I have also a FortiAuthenticator and I use it to performe an authentication trought Radius Server ( FAC ) and the LDAP but also not working.

Someone have any idea?

 

Thank you guys

 

Fabio 

Best answer by Fabio

We Smart Connect Profile WPA2 enterprise.jpg

6 replies

pminarik
Staff
pminarik
Staff
May 25, 2022

Hi Fabio,

I assume the FortiGate is directly talking to the LDAP to authenticate the users, is that right? (i.e. this is not going through FAC)

If so, which authentication method are the wireless clients configured to use? Realistically speaking, only EAP-TTLS with PAP inside is expected to work (try it if you haven't yet! :) ).

 

MSCHAPv2 based methods, such as EAP-PEAP are unlikely to work, since they require the LDAP server to be willing to give the user's plaintext password, or its NT-Hash, to the FortiGate (this is the limitation the KB article you linked alludes to). MS AD LDAP is known to never allow this under any circumstances, and I would hope that your OpenLDAP variant also is not willing to give out such sensitive information.

    Fabio
    FabioAuthor
    Explorer III
    May 25, 2022

    Thank you pminarik, 

    I didn't try to EAP-TLLS with PAP.. normally I tried with the default method EAP_PEAP .. Tomorrow I will try :) I hope work .. my only problems is with iPhone iOS that I don't know if can I change between MSCHAPv2 to PAP.. will see..

     

    Fabio 

    Fabio
    FabioAuthor
    Explorer III
    May 26, 2022

    Hi Pminarik,

    yes with Windows device WORKS, but for other device like Mac, iPhone and iOS in generaly the authentication method EAP-TLLS PAP it's not available..

    :(

     

     

    pminarik
    Staff
    pminarik
    Staff
    May 26, 2022

    Then I'm afraid you've hit a crossroads.

    You can either try to figure out how to force those Apple clients to request EAP-TTLS(PAP) (seems like some MDM settings do exist for it), or you will have to go back to RADIUS and EAP-PEAP(MSCHAPv2).

     

    As far as FortiAuthenticator goes, it by default has the exact same limitation. When utilizing a general remote LDAP server as the user back-end, only EAP-TTLS(PAP) is assured to work.

    It can support MSCHAPv2 (~> PEAP), but this is implemented by joining the FAC to the Windows AD domain (so unlikely to be relevant to your OpenLDAP environment), which allows it to verify the MSCHAPv2 credentials provided by the supplicant through SMB-based communication to the domain controller.

     

    The crux of the issue is that the LDAP protocol does not support MSCHAPv2 authentication. As a consequence any originally EAP or RADIUS authentication that then proxies further to LDAP has to deal with, or avoid, this limitation in one way or another, as it is not possible to translate the MSCHAPv2 payloads into a usable LDAP bindRequest.

      Fabio
      FabioAuthor
      Explorer III
      May 26, 2022

      We have succeeded :)

      with Smart Connect Profile.

      Through a Self-Service portal in FortiAuthenticator we were able to have the Smart Connect downloaded and installed in each device. In Smart Connect Profile you can set each parameter of your WIFI.

       

      It's amazing and very easy.

       

      I would love it if I had time to do a tutorial guide, if it can be useful.

       

      Thank you pminarik

       

      Fabio

        pminarik
        Staff
        pminarik
        Staff
        May 26, 2022

        That's a very neat idea to use the FAC to let your Apple devices pull the SSID profile. Glad you figured it out! :)

        Fabio
        FabioAuthor
        Explorer III
        May 26, 2022

        Very useful this youtube video

        https://www.youtube.com/watch?v=0Efmv4kiG5A

          Fabio
          FabioAuthorAnswer
          Explorer III
          May 26, 2022

          We Smart Connect Profile WPA2 enterprise.jpg

          Terms & ConditionsAccessibility statement