Description
This article explains which LDAP server to use to authenticate WiFi clients using WPA and WPA2 security protocols.
Scope
FortiAP all versions.
FortiOS all versions.
Solution
LDAP is supported with WiFi clients but not with every LDAP server. The LDAP server must allow the FortiGate to remotely retrieve the WiFi user's clear text password.
Windows AD does not provide this service; therefore WiFi (WPA/WPA2) clients using LDAP to authenticate must be deployed with OpenLDAP servers.
The technical reason for this is that WPA and WPA2 security protocols use a variety of password hashing schemes that are not compatible with Windows AD LDAP, they do not have the possibility to bind with this type of LDAP authentication.
It is for this reason that WiFi clients (WPA/WPA2) must be deployed using an OpenLDAP server.
Why OpenLDAP:
OpenLDAP is a free, open-source implementation of the LDAP protocol. It offers greater flexibility in terms of configuration and is amenable to adaptations required for various authentication needs, such as the unique requirements of WPA and WPA2:
-
Clear Text Password Retrieval: OpenLDAP can be configured to allow specific devices, like FortiGate, to retrieve clear text passwords when necessary. This capability facilitates the password hashing required for WPA and WPA2 authentication.
-
Compatibility with WPA/WPA2: OpenLDAP can be tailored to work seamlessly with WPA and WPA2 security protocols, ensuring secure and consistent user authentication.
Conclusion:
For organizations looking to integrate FortiOS-based WiFi networks using WPA or WPA2 security protocols with LDAP authentication, OpenLDAP serves as a viable and recommended choice due to its adaptability and compatibility.
