SSL VPN with LDAP and AD security groups

Frosty · ‎12-07-2010

New Fortigate 200B user here. We' re running 4.00 MR2. Have just gone through the setup process for an SSL VPN portal and its functioning fine. We are using LDAP authentication ... BUT ... What we would like to do is place users in security groups in AD and have the SSL VPN authenticate on the basis of group membership. We tried for a couple of hours to get this to work, but unsuccessfully. In the end we had to settle for allowing VPN access for a whole OU. This is okay as a temporary measure, but it just doesn' t work with our AD structure. Q1. is it possible to have SSL VPN LDAP authentication on the basis of AD security group membership? Q2. if it is possible, is there a ' trick' to the config to make this work?

veechee · ‎12-07-2010

I am using LDAP authentication with SSL-VPN on 4.0MR2. The way I have it, it' s a couple of steps: 1. In User->Remote->LDAP I query the OU, e.g., CN=Builtin,dc=example,dc=local 2. In User-User Group-User Group when you make the Firewall group to allow SSL-VPN access, you click Add for Remote authentication, select the LDAP server you created in step 1. Then there is a Group Name column which allows you to use a query to restrict access based on group membership. You use a Common Name Identifier to do so: e.g., cn=VPN Access Users,OU=Builtin,DC=example,DC=local. Hope this helps. I barely understand LDAP but I know this works. I have two LDAP server entries configured to check a common VPN user group against two different OUs. * The above example results in users logging in with their full name.

Frosty · ‎12-07-2010

I' ll have another look at that as soon as I can. Do you have your security group in the same OU as the user objects? My AD OU structure looks like this: COMPANY-SecurityGroups -- Departments ---- Dept1 ---- Dept 2 -- Firewall -- Workflows ---- Workflow1 ---- etc COMPANY-Users -- Head Office ---- Level 1 ------ Dept1 ------ Dept1 ---- Level 2 ---- etc So the user objects live somewhere under COMPANY-Users and the security groups they belong to live under COMPANY-SecurityGroups. EDIT: when I browse the LDAP structure from within the firewall, I can browse down to the Firewall OU under COMPANY-SecurityGroups, but it says " 0 objects" .

veechee · ‎12-07-2010

Your setup is a lot more complicated than mine! However, I *think* it can still work, because the Remote LDAP you create calls the OU, and then you do an independent call against that same server to find a group associated with a member of that OU. This exhausts my knowledge of LDAP and AD scripting though, so I can' t contribute anymore help!

ede_pfau · ‎12-08-2010

only hinting: - to query for user groups you need a dedicated LDAP account to which the FG authenticates first; then using these credentials it is able to search the tree - please do a search on " LDAP" on all forums here, there have been several discussions lately on this subject.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

Frosty · ‎12-08-2010

I' m making some progress. I think my problem is likely two-fold. Things I need to test: (1) the special user account I set up for LDAP searching from the Fortigate was a Schema Admin but not a Domain Admin, so I can change that; and (2) this KB article (http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&externalId=FD32359) describes using a special filter (&(objectcategory=group)(member=*)) I' ve been stuck fixing SSL VPN issues the past 48 hours, and the next couple of days I' m working on our DR plan ... as soon as I have that sorted I will get back to this and see if I can sort it out. Thanks for the help so far, much appreciated!

KUNTURI · ‎12-10-2010

Hola! I had a problem when try to upgrade from 4.1.x to 4.2.2 with the LDAP servers. We had to upgrade because in 4.1.x we have only up to 10 LDAP server so up to 10 diferent groups and the customer want to configure more than 20 groups. In 4.2.2 we have create only a LDAP server and up to 100 user groups. Here you have to be spetial careful with the LDAP server user access priv. of the user because this user have to " see" the " memberof" attribute of each user that will use the auth access. I hope this help you. BR, Juan

Frosty · ‎02-03-2011

I tried to post something detailed about how we got this working, but it timed out and the post was lost. Too much typing to do it again! If someone wants to email or PM me, I would be happy to send them some screen caps from our firewall config which show how we set it up. In summary though, the key was to: (a) set up AD user account with AD Schema query rights; (b) set up working LDAP connector at top level of our AD tree (see User, Remote, LDAP) which looks for " sAMAccountName" as Common Name Identifier; (c) set up User Group of type Firewall, which allows SSL-VPN Access (tickbox) and which connects to the LDAP server (see Remote Server section at bottom of page) and which uses Specify with the name of the security group which holds the list of user accounts you want to give access to (the name is the AD name of the security group: e.g. CN=groupname,OU=myOU,OU=etc)

Frosty · ‎02-03-2011

There is a document entitled " SSL VPN authentication by Security Group using LDAP on Fortigate Firewall Appliances with 4.0 MR2" which is dated Dec 25 2010 ... our firewall consultant kindly gave me a printed copy ... this document can be viewed here: http://network-security-software.biz/software/ssl-vpn-authentication-by-security-group-using-ldap-on-fortigate-firewall-appliances-with-4-0-mr2.html That' s a step-by-step on setting it up.