Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Fabio
New Contributor III

WPA2 Enterprise LDAP authentication

Hello everyone, 

I would like to performe an authentication in wifi WPA2 Enterprise environment, not with a Radius server but directly to LDAP server ( a OPEN LDAP ). 

I create a local group with LDAP server but not working . In an article in the 2011 told that was impossible cause the WPA2 Enterprise protocol with Windows AD LDAP but was right for OPEN LDAP ( https://community.fortinet.com/t5/FortiAP/Technical-Tip-FortiOS-LDAP-and-WiFi-WPA-WPA2-enterprise-se... ) 

I have another SSID that works with WINDOWS AD LDAP but in a Radius Server install in a Network Policy Server on a Windows Server.

I have also a FortiAuthenticator and I use it to performe an authentication trought Radius Server ( FAC ) and the LDAP but also not working.

Someone have any idea?

 

Thank you guys

 

Fabio 

Fabio
1 Solution
Fabio
New Contributor III
8 REPLIES 8
pminarik
Staff
Staff

Hi Fabio,

I assume the FortiGate is directly talking to the LDAP to authenticate the users, is that right? (i.e. this is not going through FAC)

If so, which authentication method are the wireless clients configured to use? Realistically speaking, only EAP-TTLS with PAP inside is expected to work (try it if you haven't yet! :) ).

 

MSCHAPv2 based methods, such as EAP-PEAP are unlikely to work, since they require the LDAP server to be willing to give the user's plaintext password, or its NT-Hash, to the FortiGate (this is the limitation the KB article you linked alludes to). MS AD LDAP is known to never allow this under any circumstances, and I would hope that your OpenLDAP variant also is not willing to give out such sensitive information.

[ test signature, please ignore ]
Fabio
New Contributor III

Thank you pminarik, 

I didn't try to EAP-TLLS with PAP.. normally I tried with the default method EAP_PEAP .. Tomorrow I will try :) I hope work .. my only problems is with iPhone iOS that I don't know if can I change between MSCHAPv2 to PAP.. will see..

 

Fabio 

Fabio
Fabio
New Contributor III

Hi Pminarik,

yes with Windows device WORKS, but for other device like Mac, iPhone and iOS in generaly the authentication method EAP-TLLS PAP it's not available..

:(

 

 

Fabio
pminarik

Then I'm afraid you've hit a crossroads.

You can either try to figure out how to force those Apple clients to request EAP-TTLS(PAP) (seems like some MDM settings do exist for it), or you will have to go back to RADIUS and EAP-PEAP(MSCHAPv2).

 

As far as FortiAuthenticator goes, it by default has the exact same limitation. When utilizing a general remote LDAP server as the user back-end, only EAP-TTLS(PAP) is assured to work.

It can support MSCHAPv2 (~> PEAP), but this is implemented by joining the FAC to the Windows AD domain (so unlikely to be relevant to your OpenLDAP environment), which allows it to verify the MSCHAPv2 credentials provided by the supplicant through SMB-based communication to the domain controller.

 

The crux of the issue is that the LDAP protocol does not support MSCHAPv2 authentication. As a consequence any originally EAP or RADIUS authentication that then proxies further to LDAP has to deal with, or avoid, this limitation in one way or another, as it is not possible to translate the MSCHAPv2 payloads into a usable LDAP bindRequest.

[ test signature, please ignore ]
Fabio
New Contributor III

We have succeeded :)

with Smart Connect Profile.

Through a Self-Service portal in FortiAuthenticator we were able to have the Smart Connect downloaded and installed in each device. In Smart Connect Profile you can set each parameter of your WIFI.

 

It's amazing and very easy.

 

I would love it if I had time to do a tutorial guide, if it can be useful.

 

Thank you pminarik

 

Fabio

Fabio
pminarik

That's a very neat idea to use the FAC to let your Apple devices pull the SSID profile. Glad you figured it out! :)

[ test signature, please ignore ]
Fabio
New Contributor III

Very useful this youtube video

https://www.youtube.com/watch?v=0Efmv4kiG5A

Fabio
Fabio
New Contributor III

We Smart Connect Profile WPA2 enterprise.jpg

Fabio