- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: Active Directory Authenticaton with Groups (L...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 09-24-2008 11:28 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Active Directory Authenticaton with Groups (LDAP)
Active Directory Authentication
I' ve had a rough couple of days parsing through documentation trying to figure out how to get my Fortigate 100A router to use Active Directory 2003 for IPSec VPN authentication. This tutorial is the result. It results in a very clean setup that allows an administrator to allow/disallow VPN access based on Security Group membership in AD. This configuration should also work for any other type of access control, such as SSL-VPN or Web authentication.
Create a Security group in AD, I called mine " VPN Users"
Add any users to this group that will need VPN access.
Create a User in AD, mine is named " Fortigate" . This user MUST be located in the root of the tree containing user accounts. The fortigate router will only try to authenticate clients that are located in the same OU, or a sub-OU of this user!
The following configuration can only be configured using the CLI. This is because the " group" tag is not available in the web interface. (This at least holds true in 3.0 MR6 Patch 2) If you are not already familiar with FortiIOS, now is a good time to learn. You could also just log in and type the following commands, but do so at your own risk. Please read all my comments below before doing this part.
config user ldap
edit " <LDAP NAME>"
set server " dc.example.com"
set cnid " sAMAccountName"
set dn " OU=People,DC=example,DC=com"
set type regular
set username " Fortigate"
set password ENC <Fortigate' s Password>
set group " CN=VPN Users,OU=People,DC=example,DC=com"
set filter " (&(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=example,DC=com)(member=*))"
next
end
server = IP address or DNS name for the domain controller to authenticate against.
type = The type of LDAP authentication to be done. regular is the only one that can do Auth->Search->Auth->Group Verification
username = The username that will initially authenticate against LDAP. (NOTE: Must be located in the root of the " dn" ) In other words, when the router tries to login, it will try DN prepended by username as the LDAP User!
password = Password for the username
dn = This is the Distinguished Name where where the Fortinet does everything. This serves 2 purposes. 1) This is where the username is located in LDAP 2) This is the base of searching for ALL USERS THAT WILL TRY TO AUTHENTICATE!
cnid = The username that the client tries to authenticate will be matched against this. I chose the sAMAccountName, which is the Windows Logon Account. You could also choose to use the displayName, userPrincipalName, or any other LDAP attribute you choose.
group = This is the DN of the group that the user MUST belong to in order to login. Note: Full LDAP Path Required. (Does this need to be in the DN tree? I don' t believe so, can someone verify?)
filter = Once the group is found, it' s list of members is found using this query, which is ran against the group object itself. So, the above line first makes sure that the group is actually an AD Security Group, and then gets the list of all members. If the user trying to authenticate is in the list, access is granted, otherwise access is denied.
Well, I hope you enjoyed this write-up, it was painful but fun! With any luck, you will find this helpful and avoid needing too much asprin. :-)
Cheers!
48 REPLIES 48
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, I' ll be attempting this AD auth for SSL-VPN users as you' ve described here. Would you expect the following to work?
---
config user ldap
edit " <LDAP NAME>"
set server " server.aliquot.com"
set cnid " sAMAccountName"
set dn " OU=Aliquot-Users,DC=aliquot,DC=local"
set type regular
set username " Fortigate"
set password ENC <jk96gJ76>
set group " CN=VPN Users,OU=Aliquot-Users,DC=aliquot,DC=local"
set filter " (&(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=aliquot,DC=local)(member=*))"
next
end
---
AD looks like this:
AD Users and Computers
aliquot.local
Aliquot-Users <-- Fortigate ' user' is in here
Builtin
Computers
Domain Controllers
Users <-- VPN Users group is in here
Thanks for your help!
Steve
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I won' t expect to work, as the VPN User Group is not located in the Aliqout-Users OU.
The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
The most expensive and scarce resource for man is time, paradoxically,
it' s infinite.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, laf. Does the VPN User Group need to be there, or can I change the group line instead? Is FSAE needed for this? --Steve
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I suggest you this one:
config user ldap
edit " <LDAP NAME>"
set server " use an IP address instead of the server' s name"
set cnid " sAMAccountName"
set dn " CN=Users,DC=aliquot,DC=local"
set type regular
set username " Fortigate"
set password ENC <jk96gJ76>
set group " CN=VPN Users,CN=Users,DC=aliquot,DC=local"
set filter " (&(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=aliquot,DC=local)(member=*))"
next
end
and this way you keep your users in the existing, builtin CN Users, and the same for VPN User group.
Also there s no need of FSAE installing on server !
Keep in mind to test it:
diagnose test authserver ldap
<server_name> <username> <password>
The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
The most expensive and scarce resource for man is time, paradoxically,
it' s infinite.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks again. With the following, can I keep my Aliquot-Users OU for my " real users" , such as S0crates has a " People" OU apart from the system accounts in the " Users" container?
config user ldap
edit " <LDAP NAME>"
set server " 192.168.1.1"
set cnid " sAMAccountName"
set dn " CN=Users,DC=aliquot,DC=local"
set type regular
set username " Fortigate"
set password ENC <jk96gJ76>
set group " CN=VPN Users,CN=Users,DC=aliquot,DC=local"
set filter " (&(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=aliquot,DC=local)(member=*))"
next
end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So where are the users who need to connect to the VPN: Aliqout - Users or in Users ?
If both are of interest you ll create two ldap users, with two config for each Container and then add this two users to the SSL VPN group.
The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
The most expensive and scarce resource for man is time, paradoxically,
it' s infinite.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The users who need to connect to the VPN are in " Aliquot-Users" , but the security group that grants them VPN access is in the " Users" container. I' d like to keep my user accounts in Aliquot-Users.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I guess if I have 1) my user accounts (People), 2) the Fortigate " user" , and 3) the " VPN Users" security group *all* under the Aliquot-Users OU, the below should work:
config user ldap
edit " <LDAP NAME>"
set server " server.aliquot.local"
set cnid " sAMAccountName"
set dn " OU=Aliquot-Users,DC=aliquot,DC=local"
set type regular
set username " Fortigate"
set password ENC <jk96gJ76>
set group " CN=VPN Users,OU=Aliquot-Users,DC=aliquot,DC=local"
set filter " (&(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=aliquot,DC=local)(member=*))"
next
end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You' re right; that' s logical; create VPN User in Aliqout-Users and it should work at once.
The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
The most expensive and scarce resource for man is time, paradoxically,
it' s infinite.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I got to line 2 of the above before getting an error..
Connected
baxter # config user ldap
baxter (ldap) # edit " <LDAP NAME>"
The string contains XSS vulnerability characters
value parse error before ' <LDAP NAME>'
Command fail. Return code -173
Related Posts
- Fortinet Single Sign On (FSSO) for... 247 Views
- VPN users to hitting the correct... 266 Views
- FortiGate VPN Web Filtering 353 Views
- FortiGate VPN with multiple outgoing Firewall... 483 Views
- Radius in serveur mode on five... 570 Views
Labels
-
FortiGate
6,710 -
FortiClient
1,334 -
5.2
801 -
5.4
639 -
FortiManager
578 -
FortiAnalyzer
422 -
6.0
416 -
5.6
362 -
FortiSwitch
344 -
FortiAP
341 -
FortiClient EMS
272 -
FortiMail
261 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
159 -
6.4
128 -
FortiNAC
110 -
FortiGuard
106 -
FortiSIEM
91 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
81 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
67 -
4.0MR3
64 -
Wireless Controller
60 -
FortiProxy
46 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
SD-WAN
30 -
High Availability
24 -
FortiConnect
24 -
VLAN
22 -
FortiWAN
22 -
FortiAuthenticator
21 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Interface
14 -
Certificate
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Logging
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
Authentication
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSL SSH inspection
8 -
Traffic shaping
8 -
SSO
8 -
Application control
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
Web profile
5 -
FortiTester
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
FortiAP profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.