FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as 802.11n, 802.11AX , and the demand for plug and play deployment.
Article Id 192530



This article explains which LDAP server to use to authenticate WiFi clients using WPA and WPA2 security protocols.



FortiAP all versions.
FortiOS all versions.



LDAP is supported with WiFi clients but not with every LDAP server. The LDAP server must allow the FortiGate to remotely retrieve the WiFi user's clear text password.

Windows AD does not provide this service; therefore WiFi (WPA/WPA2) clients using LDAP to authenticate must be deployed with OpenLDAP servers.

The technical reason for this is that WPA and WPA2 security protocols use a variety of password hashing schemes that are not compatible with Windows AD LDAP, they do not have the possibility to bind with this type of LDAP authentication.

It is for this reason that WiFi clients (WPA/WPA2) must be deployed using an OpenLDAP server.

Why OpenLDAP:
OpenLDAP is a free, open-source implementation of the LDAP protocol. It offers greater flexibility in terms of configuration and is amenable to adaptations required for various authentication needs, such as the unique requirements of WPA and WPA2:

  1. Clear Text Password Retrieval: OpenLDAP can be configured to allow specific devices, like FortiGate, to retrieve clear text passwords when necessary. This capability facilitates the password hashing required for WPA and WPA2 authentication.

  2. Compatibility with WPA/WPA2: OpenLDAP can be tailored to work seamlessly with WPA and WPA2 security protocols, ensuring secure and consistent user authentication.


For organizations looking to integrate FortiOS-based WiFi networks using WPA or WPA2 security protocols with LDAP authentication, OpenLDAP serves as a viable and recommended choice due to its adaptability and compatibility.