Description
How to configure FortiGate groups with LDAP server and limit the access to only certain groups.
This can be used for local or remote authentication of VPN SSL services.
Scope
FortiOS 4.0MR2 and above
Solution
Group restriction is defined in the user group settings under "config match" from the CLI .
Here below is an example.
Example of LDAP server settings :
FGT# config user ldap
FGT# (ldap) # edit ldap_server
FGT# (ldap_server) # get
name : ldap_server
server : <server IP>
cnid : cn
dn : DC=xyz,DC=com // here you can put more specific location using OU's to limit the search
port : 389
type : regular
username : <domain administrator in ldap style>
password : *
filter : (&(objectcategory=group)(member=*))
secure : disable
password-expiry-warning: disable
password-renewal : disable
member-attr : memberOf //this is for Windows and Open LDAP, groupMembership for eDirectory |
FortiGate group configuration (example for an SSL portal) :
config user group
edit <group_name>
set group-type firewall
set sslvpn-portal "<portal>" // select the portal if this group is for SSL VPN
set member "ldap_server" // this will be the ldap server
config match // new key word to restrict the group
edit 1
set server-name "ldap_server" // the ldap server
set group-name "cn=grp,dc=xyz,dc=com" // the group
next
end
next
end
Now this group can be used in the firewall policies to allow the group members of "grp" :
config firewall policy
edit 1
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set identity-based enable
set nat enable
config identity-based-policy
edit 1
set schedule "always"
set groups "group_name"
set service "ANY"
next
end
next
end
