Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ekrishnan
Staff
Staff

Created on ‎05-03-2024 10:57 AM Edited on ‎05-26-2024 09:44 PM By Community Manager

Article Id 313022

Technical Tip: LDAP user authentication using Member Attribute match

Description This article describes and demonstrates the configuration required to authenticate an LDAP user using the 'attribute-member' property.
Scope FortiGate.
Solution

In this article, SSL VPN will be used to explain and show the authentication. The same steps can also be used for other authentication, such as IPsec dial-up user authentication using an LDAP user group.

 

The requirement is to configure the user group defined in the FortiGate to match and authenticate a user who has the value vpn in the member attribute OU.

 

Step 1: Configure LDAP server.

 

Configure an LDAP server by referring to the screenshot below.

 

image.png

 

Step 2: Configure the user group in which the LDAP server will be added as the member.

 

image.png

 

Step 3: Relevant Firewall policies and SSL VPN settings should be configured to allow the user authentication.

Note: These configurations are skipped as this article focuses on the 'Attribute Member' config.

 

On the AD server, the user name testuser13 inside the OU=Users will be used for the authentication.

 

image.png

 

Under the User properties in AD, locate the Attribute Editor tab. In this article example, OU attribute has been used and configured with the value 'vpn', as shown below.

 

image.png

 

Note: If it is not possible to view the Attribute Editor tab, navigate to View in the AD, select Advanced Features, and the user properties will show this tab.

 

On FortiGate:

 

Under LDAP configuration:

 

config user ldap

edit "POD-LDAP"

set server "10.47.2.174"
set cnid "sAMAccountName"
set dn "dc=klpod1ftnt,dc=local"
set type regular
set username "KLPODFTNT\\admin"
set password ENC MTAwNPu/PxaQ

set member-attr "ou" <- Here it has been defined to check for the member attribute field named as 'OU'.

next
end


Modify the user group created previously to include the following:

 

config user group

edit "vpn users" <----- User group.

set member "POD-LDAP"

config match

edit 1

set server-name "POD-LDAP"

set group-name "vpn" <----- This is the value of the OU field (Attribute member) defined in the AD server for the user.

end

 

 

Note:

On the above it is not referencing any user group for 'group-name' instead, it defines the Attribute value which in this case is the VPN.

 

  • It can be seen in the LDAP filter in the FGT user group to list the users with this attribute 'ou' with the value 'vpn'.

 

image.png

 

Testing the authentication:

 

 

image.png

 

Authentication is successful for 'testuser13'. Note the only defined match in the user group settings in FortiGate is the attribute value 'VPN'.

 

On the FNBAMD and SSLVPN debug, note the following entries where it locates the value 'VPN' for the attribute member field 'OU'.

 

image.png

 

Debug commands:

 

diag de app sslvpn -1

diag de app fnbamd -1

diag de en
280
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.