Technical Tip: How to configure LDAP settings for use with Persistent Agent and Fortigate VPN and FortiClient

jhilman · ‎04-01-2024

Description

This article describes how FortiNAC Persistent Agent is effected by Forticlient VPN login and LDAP settings.

The use of the domain attribute in LDAP addition Configurations setttings requires FortiNAC login use Domain/username or username@domain format for login.
This can conflict with the username format used for VPN login with Forticlient and Fortigate VPN.

Scope

FortiNAC.

Solution

When using FortiClient, the login format is username/password (FortiToken 2FA may optionally be used for login).

When using the FortiNAC Persistent agent for logging into FortiNAC and using LDAP authentication, there is an optional attribute. It is possible to configure FortiNAC to require the domain to be included in the username, which could either be username@domain or domain\username.
In LDAP settings found in the Authentication settings view, there is a checkbox for additional configuration and the attribute described is simply titled Domain. By entering the domain value here, users will then be required to use the domain in the login with their usernames as described previously.
This should be avoided. Because the username from FortiClient is used to find the username in FortiNAC, it will not match when the two entries are 'username' and 'username@domain', which are not the same. This will result in the host not being allowed to log into FortiNAC with an authentication error. The error may not be shown on the host screen.