- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
About the LDAP Server setting !!
I have set up the ldap servers at the fortigate 60E , and use the test connectivity button testing , show me "successful" green message. then I add the ldap setting into remote groups under user groups item.
but when I use the same username testing at my mobile , it does not work . how can I find the issue ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try the cli
diag test authserver ldap "MYLDAPSRV01" ken.felix mypassword
That should validate the following;
1: user
2: ldap server reach
3: display memberOf group memberships
Ken
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ken ,
Thanks for your reply .
Actually , I always used the CLI .
diag test authserver ldap "MYLDAPSRV01" <username > <password>
got the " authenticate 'username' against 'ldapserver ' succeeded! " .
and at ldap server side :
I can got the username log :
Dec 14 14:53:17 Ldap slapd[26741]: conn=3756 fd=27 ACCEPT from IP=10.80.254.1:15257 (IP=0.0.0.0:389) Dec 14 14:53:17 Ldap slapd[26741]: conn=3756 op=0 BIND dn="cn=570office_wifi,ou=fortigate_wifi,dc=office,dc=example,dc=com" method=128 Dec 14 14:53:17 Ldap slapd[26741]: conn=3756 op=0 BIND dn="cn=570office_wifi,ou=fortigate_wifi,dc=office,dc=example,dc=com" mech=SIMPLE ssf=0 Dec 14 14:53:17 Ldap slapd[26741]: conn=3756 op=0 RESULT tag=97 err=0 text= Dec 14 14:53:17 Ldap slapd[26741]: conn=3756 op=1 SRCH base="ou=fortigate_wifi,dc=office,dc=sexample,dc=com" scope=2 deref=0 filter="(cn=405)" Dec 14 14:53:17 Ldap slapd[26741]: conn=3756 op=1 SRCH attr=1.1 Dec 14 14:53:17 Ldap slapd[26741]: conn=3756 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 14 14:53:17 Ldap slapd[26741]: conn=3757 op=0 BIND dn="uid=405,cn=570office_wifi,ou=fortigate_wifi,dc=office,dc=example,dc=com" method=128 Dec 14 14:53:17 Ldap slapd[26741]: slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1 Dec 14 14:53:17 Ldap slapd[26741]: conn=3757 op=0 BIND dn="uid=405,cn=570office_wifi,ou=fortigate_wifi,dc=office,dc=example,dc=com" mech=SIMPLE ssf=0 Dec 14 14:53:17 Ldap slapd[26741]: conn=3757 op=0 RESULT tag=97 err=0 text= Dec 14 14:53:17 Ldap slapd[26741]: conn=3757 fd=28 ACCEPT from IP=10.80.254.1:15258 (IP=0.0.0.0:389) Dec 14 14:53:17 Ldap slapd[26741]: conn=3756 op=2 SRCH base="uid=405,cn=570office_wifi,ou=fortigate_wifi,dc=office,dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)" Dec 14 14:53:17 Ldap slapd[26741]: conn=3756 op=2 SRCH attr=memberOf primaryGroupID objectSid Dec 14 14:53:17 Ldap slapd[26741]: conn=3756 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 14 14:53:17 Ldap slapd[26741]: conn=3757 op=1 UNBIND Dec 14 14:53:17 Ldap slapd[26741]: conn=3757 fd=28 closed
But When I set up same username and password to wifi card, it can not access wifi .
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I'm assuming we are talking WPAenterprise and wifi-clients?
1: So are the users in a group
2: did you bind that group into your wirelesscontroller
3: I think you need RADIUS btw, never heard of LDAP using for WIFI_CLIENTS if we are talking about wireless
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@emnoc I don't think we had set the ldap for authentication and need RADIUS again .
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FGT # [2116] handle_req-Rcvd auth req 1389040114 for 405 in WIFI-group opt=00000100 prot=0 [352] __compose_group_list_from_req-Group 'WIFI-group' [605] fnbamd_pop3_start-405 [332] radius_start-Didn't find radius servers (0) [693] auth_tac_plus_start-Didn't find tac_plus servers (0) [1054] __fnbamd_cfg_get_ldap_list_by_group-Loading LDAP server '10.80.10.1' for usergroup 'WIFI-group ' (2) [867] resolve_ldap_FQDN-Resolved address 10.80.10.1, result 10.80.10.1 [1143] build_search_base-search base is: dc=office,dc=example,dc=com
[1263] fnbamd_ldap_init-search filter is: cn=405
[489] create_auth_session-Total 1 server(s) to try [263] start_search_dn-base:'dc=office,dc=example,dc=com' filter:cn=405
[1649] fnbamd_ldap_get_result-Going to SEARCH state [2781] auth_ldap_result-Continue pending for req 1389040114 [1547] fnbamd_ldap_get_result-Not ready yet [2781] auth_ldap_result-Continue pending for req 1389040114 [296] get_all_dn-Found DN 1:uid=405,cn=570office_wifi,ou=fortigate_wifi,dc=office,dc=example,dc=com
[310] get_all_dn-Found 1 DN's [344] start_next_dn_bind-Trying DN 1:uid=405,cn=570office_wifi,ou=fortigate_wifi,dc=office,dc=example,dc=com [1697] fnbamd_ldap_get_result-Going to USERBIND state [2781] auth_ldap_result-Continue pending for req 1389040114 [570] start_user_attrs_lookup-Adding attr 'memberOf' [591] start_user_attrs_lookup-base:'uid=405,cn=570office_wifi,ou=fortigate_wifi,dc=office,dc=example,dc=com' filter:cn=*
[1753] fnbamd_ldap_get_result-Entering CHKUSERATTRS state [2781] auth_ldap_result-Continue pending for req 1389040114 [1547] fnbamd_ldap_get_result-Not ready yet [2781] auth_ldap_result-Continue pending for req 1389040114 [793] get_member_of_groups-Get the memberOf groups. [820] get_member_of_groups-attr='memberOf' - found 0 values [1785] fnbamd_ldap_get_result-Auth accepted [1921] fnbamd_ldap_get_result-Going to DONE state res=0 [2595] fnbamd_auth_poll_ldap-Result for ldap svr 10.80.10.1 is SUCCESS [2615] fnbamd_auth_poll_ldap-Skipping group matching [895] find_matched_usr_grps-Skipped group matching [182] fnbamd_comm_send_result-Sending result 0 (error 0, nid 0) for req 1389040114 [634] destroy_auth_session-delete session 1389040114
Why I got those success log , the user 405 still doesn't work ..... ?