Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiSASE Sovereign
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- RE: Active Directory Authenticaton with Groups (L...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on ‎09-24-2008 11:28 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Active Directory Authenticaton with Groups (LDAP)
Active Directory Authentication
I' ve had a rough couple of days parsing through documentation trying to figure out how to get my Fortigate 100A router to use Active Directory 2003 for IPSec VPN authentication. This tutorial is the result. It results in a very clean setup that allows an administrator to allow/disallow VPN access based on Security Group membership in AD. This configuration should also work for any other type of access control, such as SSL-VPN or Web authentication.
Create a Security group in AD, I called mine " VPN Users"
Add any users to this group that will need VPN access.
Create a User in AD, mine is named " Fortigate" . This user MUST be located in the root of the tree containing user accounts. The fortigate router will only try to authenticate clients that are located in the same OU, or a sub-OU of this user!
The following configuration can only be configured using the CLI. This is because the " group" tag is not available in the web interface. (This at least holds true in 3.0 MR6 Patch 2) If you are not already familiar with FortiIOS, now is a good time to learn. You could also just log in and type the following commands, but do so at your own risk. Please read all my comments below before doing this part.
config user ldap
edit " <LDAP NAME>"
set server " dc.example.com"
set cnid " sAMAccountName"
set dn " OU=People,DC=example,DC=com"
set type regular
set username " Fortigate"
set password ENC <Fortigate' s Password>
set group " CN=VPN Users,OU=People,DC=example,DC=com"
set filter " (&(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=example,DC=com)(member=*))"
next
end
server = IP address or DNS name for the domain controller to authenticate against.
type = The type of LDAP authentication to be done. regular is the only one that can do Auth->Search->Auth->Group Verification
username = The username that will initially authenticate against LDAP. (NOTE: Must be located in the root of the " dn" ) In other words, when the router tries to login, it will try DN prepended by username as the LDAP User!
password = Password for the username
dn = This is the Distinguished Name where where the Fortinet does everything. This serves 2 purposes. 1) This is where the username is located in LDAP 2) This is the base of searching for ALL USERS THAT WILL TRY TO AUTHENTICATE!
cnid = The username that the client tries to authenticate will be matched against this. I chose the sAMAccountName, which is the Windows Logon Account. You could also choose to use the displayName, userPrincipalName, or any other LDAP attribute you choose.
group = This is the DN of the group that the user MUST belong to in order to login. Note: Full LDAP Path Required. (Does this need to be in the DN tree? I don' t believe so, can someone verify?)
filter = Once the group is found, it' s list of members is found using this query, which is ran against the group object itself. So, the above line first makes sure that the group is actually an AD Security Group, and then gets the list of all members. If the user trying to authenticate is in the list, access is granted, otherwise access is denied.
Well, I hope you enjoyed this write-up, it was painful but fun! With any luck, you will find this helpful and avoid needing too much asprin. :-)
Cheers!
48 REPLIES 48
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just make another LDAP user, and that' s it. Also update to MR7 v3.0
The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
The most expensive and scarce resource for man is time, paradoxically,
it' s infinite.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, laf. I' m already running Fortigate-100 3.00-b0741(MR7 Patch 5).
I' m sorry, I' m not sure what you mean. Should lines 1 & 2 be something like this, instead?:
config user ldap
edit " <ad-ldap>"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is getting annoying, you know?
First of all user Later edit BUTTON as you already spammed this thread.
Second don' t use brackets !
edit ldap1
edit <ldap1> it is not correct
The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
The most expensive and scarce resource for man is time, paradoxically,
it' s infinite.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, I got it, no brackets.
I tested authenticating the Fortigate " user" with ldap and got this error:
baxter # diagnose test authserver ldap ad_ldap Fortigate jk96gJ76
authenticate ' Fortigate' against ' ad_ldap' failed!
However, testing a real user succeeds:
baxter # diagnose test authserver ldap ad_ldap aholland 77jh23
authenticate ' aholland' against ' ad_ldap' succeeded!
In the FortiGate' s Web interface, under User > User Group, I have a group called " VPN_Clients" that previously contained local (FortiGate) users, and now I' ve added ad_ldap as a member, which certainly looks right, but still doesn' t work. That is, I' m still unable to establish VPN for anyone other than local users.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Put the Fortigate user which has to authenticate the others in the VPN Users container from Aliquot-Users.
P.S. I' m glad to see that you re using that LE button.
The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
The most expensive and scarce resource for man is time, paradoxically,
it' s infinite.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Getting closer. Now everyone, including the Fortigate " user" , succeeds the auth test, but still can' t login via the Web portal, except as local users.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, did you add the LDAP user to the SSL-VPN group ?
L.E. in order to test the authentication really works either you use as Xauth for Forticlient users, or (this one is far easy): create a FW rule internal to wan1 and use authentication, this time with a Firewall group which contains the LDAP user. If it works, means your auth is ok.
The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
The most expensive and scarce resource for man is time, paradoxically,
it' s infinite.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here are the commands I used to configure for LDAP:
config user ldap
edit " ad_ldap"
set server " 192.168.1.1"
set cnid " sAMAccountName"
set dn " OU=Aliquot-Users,DC=aliquot,DC=local"
set type regular
set username " Fortigate"
set password jk96gJ76
set group " CN=VPN Users,OU=Aliquot-Users,DC=aliquot,DC=local"
set filter " (&(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=aliquot,DC=local)(member=*))"
next
end
It wouldn' t accept my entry for password with " ENC" preceding it, so I removed it. Is that causing trouble?
I' ve added ad_ldap to the SSL VPN user group under User > User Group in the Web interface. It' s in the same group that the working local users are in.
I performed the firewall test for authentication. When I' m prompted to authenticate, I enter the Fortigate " user" or any of the real users and I' m told " authentication was successful" , but I' m never redirected to the requested web site, or any subsequent sites I attempt. I' m temporarily bypassing my web proxy with a rule that allows everything, which follows the rule that requires firewall authentication.
Update: I didn' t have NAT checked on the firewall auth rule. Now I authenticate successfully and get to the requested site, but initiating the SSL-VPN via the Web portal still fails.
Update: The SSL-VPN firewall rules were set to " Local" for User Authentication Method! LDAP auth seems to work now. Thanks for everyone' s help.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You enter the password in clear text. The FGT will encrypt it in the config, and prepend it with the " ENC" you saw elsewhere.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quick Note on Firmware Version v4.0.2,build0099,090407
The “User DN†must be in the following format.
user@domain.com
not
user
As the example shows.
Other than that this readme works 100%
Pay close attention to what S0crates, Jesús Cambera, and laf have said.
The following is my working config
config user ldap
edit " SSL Admins Group"
set server " 192.168.10.10" <-- IP address of my Active Directory Domain Controller
set cnid " sAMAccountName"
set dn " OU=Users,OU=remote,DC=company,DC=com"
set type regular
set username " fortigate@company.com" <-- Must have @company.com on the username
set password qwerty
set group " CN=SSL-Admins,OU=Security Groups,OU=remote,DC=company,DC=com"
set filter " (&(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=tririga,DC=com)(member=*))"
next
edit " SSL Users Group"
set server " 192.168.10.10" <-- IP address of my Active Directory Domain Controller
set cnid " sAMAccountName"
set dn " OU=Users,OU=remote,DC=company,DC=com"
set type regular
set username " fortigate@company.com" <-- Must have @company.com on the username
set password qwerty
set group " CN=SSL-Users,OU=Security Groups,OU=remote,DC=company,DC=com"
set filter " (&(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=tririga,DC=com)(member=*))"
next
end
Test using laf' s example
diagnose test authserver ldap <server_name> <username> <password>
diagnose test authserver ldap " SSL Admins Group" testUser qwerty <-- no @company.com on the username
On the SSL VPN Client you only need the username without the @company.com to login.
Note: Do not test with a user that has a ( ? ) in the password.
2 x 310B
v4.0,build0272,100331 (MR2)
HA ( Active Passive )
2 x 310B v4.0,build0272,100331 (MR2) HA ( Active Passive )
Labels
-
FortiGate
10,803 -
FortiClient
2,214 -
FortiManager
905 -
FortiAnalyzer
690 -
5.2
687 -
5.4
638 -
FortiSwitch
597 -
FortiClient EMS
585 -
FortiAP
568 -
IPsec
445 -
6.0
416 -
SSL-VPN
394 -
FortiMail
380 -
5.6
362 -
FortiNAC
299 -
FortiWeb
258 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
206 -
FortiAuthenticator
186 -
FortiGuard
161 -
5.0
152 -
Firewall policy
150 -
FortiGate-VM
141 -
6.4
128 -
FortiCloud Products
120 -
FortiToken
115 -
FortiSIEM
113 -
FortiGateCloud
112 -
Wireless Controller
96 -
High Availability
93 -
Customer Service
88 -
ZTNA
80 -
FortiProxy
79 -
SAML
78 -
Routing
78 -
BGP
74 -
Fortivoice
73 -
DNS
73 -
VLAN
73 -
FortiEDR
71 -
Authentication
71 -
FortiADC
69 -
Certificate
69 -
LDAP
65 -
RADIUS
63 -
FortiLink
59 -
SSO
57 -
NAT
57 -
FortiSandbox
55 -
FortiExtender
52 -
Interface
50 -
VDOM
50 -
4.0MR3
49 -
Application control
48 -
Virtual IP
45 -
FortiDNS
43 -
Logging
43 -
SSL SSH inspection
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
37 -
Web profile
36 -
FortiConnect
35 -
Automation
35 -
FortiWAN
31 -
FortiConverter
31 -
API
29 -
FortiGate v5.2
28 -
Fortigate Cloud
27 -
Traffic shaping
26 -
Static route
26 -
SNMP
25 -
SSID
25 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
System settings
22 -
WAN optimization
22 -
FortiMonitor
21 -
OSPF
21 -
Security profile
19 -
Web application firewall profile
19 -
Web rating
19 -
IP address management - IPAM
19 -
FortiSOAR
18 -
FortiAP profile
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
Explicit proxy
16 -
Admin
15 -
IPS signature
15 -
Proxy policy
15 -
Intrusion prevention
15 -
FortiManager v4.0
14 -
FortiCASB
14 -
NAC policy
14 -
DNS filter
13 -
Users
13 -
FortiManager v5.0
12 -
FortiDeceptor
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiBridge
11 -
FortiRecorder
11 -
Trunk
11 -
Authentication rule and scheme
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
Traffic shaping profile
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
Application signature
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiNDR
6 -
DoS policy
6 -
FortiCarrier
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
Email filter profile
5 -
Protocol option
5 -
TACACS
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiAI
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiEdge Cloud
3 -
FortiInsight
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2727 | |
| 1416 | |
| 810 | |
| 738 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.