Help
FortiAP
FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as 802.11n, 802.11AX , and the demand for plug and play deployment.
Jonathan_Body_FTNT
Staff
Staff

Created on ‎08-05-2011 05:58 AM Edited on ‎04-28-2025 06:03 AM By Moderator

Article Id 192530

Technical Tip: FortiOS LDAP and WiFi WPA/WPA2, enterprise security mode

Description

 

This article explains which LDAP server to use to authenticate WiFi clients using WPA and WPA2 security protocols.


Scope

 

FortiAP.
 
Solution
 

LDAP is supported with Wi-Fi clients, but not with every LDAP server. The LDAP server must allow the FortiGate to remotely retrieve the WiFi user's password in clear text.

When a SSID is configured win security WPA/WPA2 Enterprise, the FortiGate submits an LDAP query to the LDAP server to confirm user membership and password. In the debug of the fnbamd process, the request is shown:

fnbamd debug ldap query password.png

 

A packet capture of LDAP traffic shows the LDAP request for the user password (using multiple hashing codes):

ldap searchrequest.png

 

Windows Servers do not respond to clear-text password requests, only group membership is returned:

ldap user query - no response.png

 

So, password validation cannot be completed, and the user is not authenticated.
Therefore, Wi-Fi (WPA/WPA2) clients using LDAP to authenticate must be deployed with other LDAP Servers like OpenLDAP.
The technical reason for this is that WPA and WPA2 security protocols use a variety of password hashing schemes that are not compatible with Windows Server's LDAP.
 
Why OpenLDAP:

OpenLDAP is a free, open-source implementation of the LDAP protocol. It offers greater flexibility in terms of configuration and is amenable to adaptations required for various authentication needs, such as the unique requirements of WPA and WPA2:

  1. Clear Text Password Retrieval: OpenLDAP can be configured to allow specific devices, like FortiGate, to retrieve clear-text passwords when necessary. This capability facilitates the password hashing required for WPA and WPA2 authentication.

  2. Compatibility with WPA/WPA2: OpenLDAP can be tailored to work seamlessly with WPA and WPA2 security protocols, ensuring secure and consistent user authentication.

Conclusion:
For organizations looking to integrate FortiOS-based Wi-Fi networks using WPA or WPA2 security protocols with LDAP authentication, OpenLDAP serves as a viable and recommended choice due to its adaptability and compatibility.

17800
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.