Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Active Directory Authenticaton with Groups (LDAP)

Active Directory Authentication I' ve had a rough couple of days parsing through documentation trying to figure out how to get my Fortigate 100A router to use Active Directory 2003 for IPSec VPN authentication. This tutorial is the result. It results in a very clean setup that allows an administrator to allow/disallow VPN access based on Security Group membership in AD. This configuration should also work for any other type of access control, such as SSL-VPN or Web authentication. Create a Security group in AD, I called mine " VPN Users" Add any users to this group that will need VPN access. Create a User in AD, mine is named " Fortigate" . This user MUST be located in the root of the tree containing user accounts. The fortigate router will only try to authenticate clients that are located in the same OU, or a sub-OU of this user! The following configuration can only be configured using the CLI. This is because the " group" tag is not available in the web interface. (This at least holds true in 3.0 MR6 Patch 2) If you are not already familiar with FortiIOS, now is a good time to learn. You could also just log in and type the following commands, but do so at your own risk. Please read all my comments below before doing this part. config user ldap edit " <LDAP NAME>" set server " dc.example.com" set cnid " sAMAccountName" set dn " OU=People,DC=example,DC=com" set type regular set username " Fortigate" set password ENC <Fortigate' s Password> set group " CN=VPN Users,OU=People,DC=example,DC=com" set filter " (&(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=example,DC=com)(member=*))" next end server = IP address or DNS name for the domain controller to authenticate against. type = The type of LDAP authentication to be done. regular is the only one that can do Auth->Search->Auth->Group Verification username = The username that will initially authenticate against LDAP. (NOTE: Must be located in the root of the " dn" ) In other words, when the router tries to login, it will try DN prepended by username as the LDAP User! password = Password for the username dn = This is the Distinguished Name where where the Fortinet does everything. This serves 2 purposes. 1) This is where the username is located in LDAP 2) This is the base of searching for ALL USERS THAT WILL TRY TO AUTHENTICATE! cnid = The username that the client tries to authenticate will be matched against this. I chose the sAMAccountName, which is the Windows Logon Account. You could also choose to use the displayName, userPrincipalName, or any other LDAP attribute you choose. group = This is the DN of the group that the user MUST belong to in order to login. Note: Full LDAP Path Required. (Does this need to be in the DN tree? I don' t believe so, can someone verify?) filter = Once the group is found, it' s list of members is found using this query, which is ran against the group object itself. So, the above line first makes sure that the group is actually an AD Security Group, and then gets the list of all members. If the user trying to authenticate is in the list, access is granted, otherwise access is denied. Well, I hope you enjoyed this write-up, it was painful but fun! With any luck, you will find this helpful and avoid needing too much asprin. :-) Cheers!
48 REPLIES 48
laf
New Contributor II

Just make another LDAP user, and that' s it. Also update to MR7 v3.0

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
generaltab

Thanks, laf. I' m already running Fortigate-100 3.00-b0741(MR7 Patch 5). I' m sorry, I' m not sure what you mean. Should lines 1 & 2 be something like this, instead?: config user ldap edit " <ad-ldap>"
laf
New Contributor II

This is getting annoying, you know? First of all user Later edit BUTTON as you already spammed this thread. Second don' t use brackets ! edit ldap1 edit <ldap1> it is not correct

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
generaltab

Ok, I got it, no brackets. I tested authenticating the Fortigate " user" with ldap and got this error: baxter # diagnose test authserver ldap ad_ldap Fortigate jk96gJ76 authenticate ' Fortigate' against ' ad_ldap' failed! However, testing a real user succeeds: baxter # diagnose test authserver ldap ad_ldap aholland 77jh23 authenticate ' aholland' against ' ad_ldap' succeeded! In the FortiGate' s Web interface, under User > User Group, I have a group called " VPN_Clients" that previously contained local (FortiGate) users, and now I' ve added ad_ldap as a member, which certainly looks right, but still doesn' t work. That is, I' m still unable to establish VPN for anyone other than local users.
laf
New Contributor II

Put the Fortigate user which has to authenticate the others in the VPN Users container from Aliquot-Users. P.S. I' m glad to see that you re using that LE button.

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
generaltab

Getting closer. Now everyone, including the Fortigate " user" , succeeds the auth test, but still can' t login via the Web portal, except as local users.
laf
New Contributor II

Ok, did you add the LDAP user to the SSL-VPN group ? L.E. in order to test the authentication really works either you use as Xauth for Forticlient users, or (this one is far easy): create a FW rule internal to wan1 and use authentication, this time with a Firewall group which contains the LDAP user. If it works, means your auth is ok.

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
generaltab

Here are the commands I used to configure for LDAP: config user ldap edit " ad_ldap" set server " 192.168.1.1" set cnid " sAMAccountName" set dn " OU=Aliquot-Users,DC=aliquot,DC=local" set type regular set username " Fortigate" set password jk96gJ76 set group " CN=VPN Users,OU=Aliquot-Users,DC=aliquot,DC=local" set filter " (&(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=aliquot,DC=local)(member=*))" next end It wouldn' t accept my entry for password with " ENC" preceding it, so I removed it. Is that causing trouble? I' ve added ad_ldap to the SSL VPN user group under User > User Group in the Web interface. It' s in the same group that the working local users are in. I performed the firewall test for authentication. When I' m prompted to authenticate, I enter the Fortigate " user" or any of the real users and I' m told " authentication was successful" , but I' m never redirected to the requested web site, or any subsequent sites I attempt. I' m temporarily bypassing my web proxy with a rule that allows everything, which follows the rule that requires firewall authentication. Update: I didn' t have NAT checked on the firewall auth rule. Now I authenticate successfully and get to the requested site, but initiating the SSL-VPN via the Web portal still fails. Update: The SSL-VPN firewall rules were set to " Local" for User Authentication Method! LDAP auth seems to work now. Thanks for everyone' s help.
rwpatterson
Valued Contributor III

You enter the password in clear text. The FGT will encrypt it in the config, and prepend it with the " ENC" you saw elsewhere.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
rlord
New Contributor

Quick Note on Firmware Version v4.0.2,build0099,090407 The “User DN” must be in the following format. user@domain.com not user As the example shows. Other than that this readme works 100% Pay close attention to what S0crates, Jesús Cambera, and laf have said. The following is my working config config user ldap edit " SSL Admins Group" set server " 192.168.10.10" <-- IP address of my Active Directory Domain Controller set cnid " sAMAccountName" set dn " OU=Users,OU=remote,DC=company,DC=com" set type regular set username " fortigate@company.com" <-- Must have @company.com on the username set password qwerty set group " CN=SSL-Admins,OU=Security Groups,OU=remote,DC=company,DC=com" set filter " (&(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=tririga,DC=com)(member=*))" next edit " SSL Users Group" set server " 192.168.10.10" <-- IP address of my Active Directory Domain Controller set cnid " sAMAccountName" set dn " OU=Users,OU=remote,DC=company,DC=com" set type regular set username " fortigate@company.com" <-- Must have @company.com on the username set password qwerty set group " CN=SSL-Users,OU=Security Groups,OU=remote,DC=company,DC=com" set filter " (&(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=tririga,DC=com)(member=*))" next end Test using laf' s example diagnose test authserver ldap <server_name> <username> <password> diagnose test authserver ldap " SSL Admins Group" testUser qwerty <-- no @company.com on the username On the SSL VPN Client you only need the username without the @company.com to login. Note: Do not test with a user that has a ( ? ) in the password.
2 x 310B v4.0,build0272,100331 (MR2) HA ( Active Passive )
2 x 310B v4.0,build0272,100331 (MR2) HA ( Active Passive )
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors