Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
VinayHM
Staff
Staff

Created on ‎09-25-2025 11:37 PM Edited on ‎09-29-2025 02:24 AM By Moderator

Article Id 412592

Technical Tip: LDAP users logging into the captive portal without password

Description This article describes the reason for users authenticating the captive portal without a password.
Scope FortiGate.
Solution

On the FortiGate, a policy-based captive portal has been configured for LDAP users, and users can authenticate without entering a password.

 

This is not an issue with the FortiGate, as the user management is handled by Active Directory (AD). Packet captures indicate that the LDAP server is permitting users to log in to the captive portal without requiring a password.

 

To enable debugging:

 

diagnose debug disable
diagnose debug reset
diagnose debug app fnbamd -1

diagnose debug en

50 12.145419 0.000000000 10.10.60.1 10.10.60.37 TCP 74 15876 → 389 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM TSval=618274238 TSecr=0 WS=8192
51 12.145872 0.000453000 10.10.60.37 10.10.60.1 TCP 66 389 → 15876 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM
52 12.145883 0.000011000 10.10.60.1 10.10.60.37 TCP 54 15876 → 389 [ACK] Seq=1 Ack=1 Win=32768 Len=0
53 12.145918 0.000035000 10.10.60.1 10.10.60.37 LDAP 97 bindRequest(1) "uu\administrator" simple
54 12.149428 0.003510000 10.10.60.37 10.10.60.1 LDAP 76 bindResponse(1) success
55 12.149436 0.000008000 10.10.60.1 10.10.60.37 TCP 54 15876 → 389 [ACK] Seq=44 Ack=23 Win=32768 Len=0
56 12.149449 0.000013000 10.10.60.1 10.10.60.37 LDAP 128 searchRequest(2) "DC=uu,DC=local" wholeSubtree
57 12.150186 0.000737000 10.10.60.37 10.10.60.1 LDAP 357 searchResEntry(2) "CN=fortitest,OU=UCN,DC=uu,DC=local" | searchResRef(2) | searchResRef(2) | searchResRef(2) | searchResDone(2) success [1 result]
58 12.150224 0.000038000 10.10.60.1 10.10.60.37 LDAP 133 bindRequest(3) "CN=fortitest,OU=UCN,DC=uu,DC=local" simple
59 12.165278 0.015054000 10.10.60.37 10.10.60.1 TCP 54 389 → 15876 [ACK] Seq=326 Ack=197 Win=2102016 Len=0
60 12.188295 0.023017000 10.10.60.37 10.10.60.1 LDAP 76 bindResponse(3) success <----- User getting successful bind response.
61 12.188602 0.000307000 10.10.60.1 10.10.60.37 LDAP 164 searchRequest(4) "CN=fortitest,OU=UCN,DC=uu,DC=local" baseObject

 

To disable debugging:

 

diagnose debug reset

diagnose debug disable

 

Review the LDAP configuration to ensure that it does not allow users to log in without a password.

Related article: 
Technical Tip: How to configure FortiGate to use an LDAP server
171
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.