Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
make
New Contributor

FortiAuthenticator LDAP auth and password change over SSL VPN

Hello guys!

 

I already implemented a solution with FortiGate and LDAP (via LDAPS) in which it's possible for users to change the password with the SSL VPN Client if it is expired so I hope there is an FortiAuthenticator solution.


config user ldap
   edit <server_name>
   set password-expiry-warning {disable | enable}
   set password-renewal {disable | enable}
   ...
end

 

I'm searching for a solution in which the same is possible but the FortiGate isn't connected to an LDAP server but instead to an FortiAuthenticator via RADIUS (dynamic FortiToken Mobile assigning) which gets the User Information from the LDAP server (via LDAPS). I only found the Self Service Portal which provides this feature but this doesn't meet the customer expectations.

 

Do you have any experience with this? Thank you.

Kind Regards, Maximilian

1 Solution
mwojcicki

Dear xsilver_FTNT

I have the same situation as in this topic.

 

I have FAC (5.5.0) connected via LDAPS to AD.

FAC is Radius server to FGT (6.0.2) - MSCHAPv2. 

SSL VPN users are connecting to FGT which takes credentials from FAC radius server (and FAC takes by LDAPS from AD).

 

Normal users with time valid password can establish vpn connect and everything works fine.

 

Users with expired password has to change their password, but instead of form to password change in FortiClient I have error about wrong credentials.

I know there should be displaye form to change password because when I used LDAP authentication on FGT (FGT connected to AD directly without FAC), it works.

 

 

As I said, I have wrong credentials error in FortiClient, but FAC is aware of need to change password because I see that in FAC logs:

 

1. Windows AD user authentication(mschap) with no token failed: user password change required

 

and from /debug logs:

 

1. Module-Failure-Message: mschap: External script says Must change password (0xc0000224)

2. Remote Windows AD user password reset required

3. Updated auth log 'tmp': Windows AD user authentication(mschap) with no token failed: user password change required

 

 

Do you know what may be a problem that I cannot change password in this setup? I would appreciate any help.

 

 

The problem is solved: I just had to set password-renewal in radius configuration on FGT...

View solution in original post

13 REPLIES 13
xsilver_FTNT
Staff
Staff

Hi Maxmilian

that should work for SSL VPN terminated on FGT as well.

If LDAP has for example set that user has to change password next logon, it should propagate to FAC and then via RADIUS challenge requests to the RADIUS client (FGT) and to actual client/user.

This should work since some 4.2.1 FAC and 5.4.4 FGT

RADIUS should be MSCHAPv2

and FAC to LDAP with Kerberos (Windows Active Directory Domain Authentication) or LDAPS

Tom xSilver, planet Earth, over and out!

mwojcicki

Dear xsilver_FTNT

I have the same situation as in this topic.

 

I have FAC (5.5.0) connected via LDAPS to AD.

FAC is Radius server to FGT (6.0.2) - MSCHAPv2. 

SSL VPN users are connecting to FGT which takes credentials from FAC radius server (and FAC takes by LDAPS from AD).

 

Normal users with time valid password can establish vpn connect and everything works fine.

 

Users with expired password has to change their password, but instead of form to password change in FortiClient I have error about wrong credentials.

I know there should be displaye form to change password because when I used LDAP authentication on FGT (FGT connected to AD directly without FAC), it works.

 

 

As I said, I have wrong credentials error in FortiClient, but FAC is aware of need to change password because I see that in FAC logs:

 

1. Windows AD user authentication(mschap) with no token failed: user password change required

 

and from /debug logs:

 

1. Module-Failure-Message: mschap: External script says Must change password (0xc0000224)

2. Remote Windows AD user password reset required

3. Updated auth log 'tmp': Windows AD user authentication(mschap) with no token failed: user password change required

 

 

Do you know what may be a problem that I cannot change password in this setup? I would appreciate any help.

 

 

The problem is solved: I just had to set password-renewal in radius configuration on FGT...

ISAC_
New Contributor II

Hi,

I can't connect via FAC - LDAPS to AD. I can't  connect to FGT to radius server FAC with MSCAPv2. LDAP connection and default radius Authentication method is OK. Could you help me please?

Debbie_FTNT

Hey :).

Regarding Fortigate using MS-CHAPv2 with FortiAuthenticator, the Authenticator needs to be joined to the domain (you can enable this in the remote server > LDAP settings).
Regarding the LDAPS connection not working, this usually happens if FortiAuthenticator does not trust the LDAP server's certificate for some reason. Do you get any error messages when you try to browse LDAP with LDAPS enabled?

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
ISAC_
New Contributor II

1- I joined the domain and i can see it running on monitor menu. 

2- Yes When i browse i get error about certificate like that.  I export domain root certificate and export on FAC. I selected the this certificate. But no way. What can i do?

Debbie_FTNT

If there is an intermediate certificate that actually signed the LDAP server cert, you might need to import and set that on FortiAuthenticator instead of the domain root certificate; FortiAuthenticator can be a bit finicky about that.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
ISAC_
New Contributor II

you were right. was using a different certificate. this problem is solved. I was able to connect with ldaps without any problems. another problem I have is MS-CHAP- V2. I cannot make Radius connection between Fortigate firewall and FAC with MS-CHAP-v2. Actually connection status shows successful but not working. What should I pay attention to?

Debbie_FTNT

If FortiAuthenticator is joined to the domain - have you enabled Windows AD authentication in the RADIUS policy? that also needs to be toggled on for MS-CHAPv2 to work.
If both are in place (domain join and WinAD auth enabled in RADIUS policy) I would suggest looking at FortiAuthenticator logs under Logging section, and RADIUS debug under https://<FAC>/debug/radius 
Either should provide additional detail as to why MS-CHAPv2 might be failing

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
ISAC_
New Contributor II

I joined the domain and there is no problem. but where should I check in the policy for windows name domain authanticate, could you send screenshot?