Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
RBA
Staff
Staff

Created on ‎04-11-2023 01:30 AM Edited on ‎08-04-2024 09:57 PM By Community Manager

Article Id 251953

Technical Tip: Configuring the FortiGate to use the Jumpcloud LDAP server with the CLI

Description This article describes the basic configuration steps required to integrate the Jumpcloud LDAP server into FortiGate.
Scope FortiGate.
Solution

For the regular LDAP user to log in, the LDAP binding user has to be configured to gain access to the LDAP directory to facilitate authentication requests.

 

This user need not be a service account. Any JumpCloud user can be set as a binding user but should be treated as a privileged user.

 

Sample config in the GUI:

 

Stephen_G_0-1691506380379.png

 

Sample config in the CLI:

 

Stephen_G_1-1691506380399.png

 

 

The sample CLI configuration is as follows:

 

config user ldap
    edit <Server Name>
        set server ldap.jumpcloud.com
        set secure ldaps
        set port 636
        set cnid uid
        set dn ou=Users,o=Organization ID,dc=jumpcloud,dc=com
        set type regular
        set username uid=LDAP_BINDING_USER,ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com
        set password LDAP_BINDING_USER_PASSWORD
        set password-expiry-warning enable
        set password-renewal enable
        set group-member-check group-object
        set group-object-filter "(&(objectClass=groupOfNames) (cn=*))"

    next
end

 

cnid is set to uid instead of cn/sAMAccountName. UID is an LDAP account attribute that stores a username.

 

Note:

The highlighted text (2 CLI commands) must be configured to match the group matching when using LDAP user/user groups for VPN. When verifying the user on LDAP using the ‘Test User Credentials’ button, it will work without these 2 commands. These 2 attributes can only be configured using CLI.

 

Group member checking methods can be assigned using the following CLI command:

 

Fortigate (Jumpcloud_LDAP) # set group-member-check
user-attr     User attribute checking.
group-object     Group object checking.
posix-group-object     POSIX group object checking.

Filter used for group searching can be assigned using the following CLI command:

 

Fortigate (Jumpcloud_LDAP) # set group-object-filter
filter used for group searching. Here are some examples:
(&(objectcategory=group)(member=*))
(&(objectclass=groupofnames)(member=*))
(&(objectclass=groupofuniquenames)(uniquemember=*))
(&(objectclass=posixgroup)(memberuid=*))
(&(objectclass=posixgroup)(memberuid=%s))

 

The username would be in the format uid=<userid>,ou=xxxxx,o=xxxxxxxxxxxxxxxxxx,dc=jumpcloud,dc=com.

 

If MFA is in use, consider the following:

 

So far, there is not an easy solution to support MFA when connecting to WPA_Enterprise SSID. The push time will be 5 seconds. This timer cannot be changed.

For a wired ethernet connection, it is possible to change the push timer with the remoteauthtimeout value:

 

config system global

set  remoteauthtimeout  <----- Specify a value in seconds.
2178
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.