Help
FortiAP
FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as 802.11n, 802.11AX , and the demand for plug and play deployment.
Adolfo_Z_H
Staff
Staff

Created on ‎07-27-2023 10:31 PM

Article Id 266052

Technical Tip: WIFI enterprise authentication does not work with LDAP servers

Description

 

This article describes that Wifi clients cannot be authenticated to an SSID using WPA enterprise authentication when using an LDAP server or remote LDAP server user group.

 

Scope

 

FortiGate as a wireless controller for all versions and platforms.

 

Solution

 

WPA Enterprise configuration with LDAP groups is not supported by definition.

According to the WPA2 or WPA3 Enterprise standard, it is only possible to use a RADIUS authentication server in order to build the EAP tunnel.

 

EAPoW – Extensible Authentication Protocol over Wireless.

EAPoL Protocol – Extensible Authentication Protocol over LAN.

 

The only way to make WPA Enterprise work with LDAP is to have a third-party Radius-LDAP proxy component between the FortiGate and the LDAP server such as Fortiauthenticator. NPS also has this function.

 

Use this configuration to create the Radius server on the Windows server and use the same user database.

 

Technical Tip: Configuring FortiGate and Microsoft NPS (Radius with AD authentication).

 

It is necessary to create the Windows Server Firewall rules for the Radius because the ones that are automatically created when installing the Service/Rol.

 

Be aware that some NPS releases do not correctly patch the traffic and deny connections. It is a Windows bug apparently.

 

Windows Server 2019 - Default NPS Firewall rules (Port 1812 UDP) Not working.

 

After that, proceed to configure the SSID referring it to the created radius server.

 

Deploying WPA2-Enterprise SSID to FortiAP units.

 

Another reason that LDAP does not work directly with WPA enterprise is that it is necessary to configure some authentication method between the supplicant (Wi-Fi client) and the authentication server (radius) so that the authenticator (FortiGate-FortiAP) can generate the EAPOL tunnel, LDAP does not have this function, which is defined in the 802.1X standard.

 

Be aware of the NS7 LAN edge course that explains in detail this problem (pages 46 and 47). The complete course can be accessed by registering at the NSE institute and enrolling in the course.

 

LAN Edge.

1074
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.