- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Active Directory Authenticaton with Groups (LDAP)
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 09-24-2008 11:28 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Active Directory Authenticaton with Groups (LDAP)
Active Directory Authentication
I' ve had a rough couple of days parsing through documentation trying to figure out how to get my Fortigate 100A router to use Active Directory 2003 for IPSec VPN authentication. This tutorial is the result. It results in a very clean setup that allows an administrator to allow/disallow VPN access based on Security Group membership in AD. This configuration should also work for any other type of access control, such as SSL-VPN or Web authentication.
Create a Security group in AD, I called mine " VPN Users"
Add any users to this group that will need VPN access.
Create a User in AD, mine is named " Fortigate" . This user MUST be located in the root of the tree containing user accounts. The fortigate router will only try to authenticate clients that are located in the same OU, or a sub-OU of this user!
The following configuration can only be configured using the CLI. This is because the " group" tag is not available in the web interface. (This at least holds true in 3.0 MR6 Patch 2) If you are not already familiar with FortiIOS, now is a good time to learn. You could also just log in and type the following commands, but do so at your own risk. Please read all my comments below before doing this part.
config user ldap
edit " <LDAP NAME>"
set server " dc.example.com"
set cnid " sAMAccountName"
set dn " OU=People,DC=example,DC=com"
set type regular
set username " Fortigate"
set password ENC <Fortigate' s Password>
set group " CN=VPN Users,OU=People,DC=example,DC=com"
set filter " (&(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=example,DC=com)(member=*))"
next
end
server = IP address or DNS name for the domain controller to authenticate against.
type = The type of LDAP authentication to be done. regular is the only one that can do Auth->Search->Auth->Group Verification
username = The username that will initially authenticate against LDAP. (NOTE: Must be located in the root of the " dn" ) In other words, when the router tries to login, it will try DN prepended by username as the LDAP User!
password = Password for the username
dn = This is the Distinguished Name where where the Fortinet does everything. This serves 2 purposes. 1) This is where the username is located in LDAP 2) This is the base of searching for ALL USERS THAT WILL TRY TO AUTHENTICATE!
cnid = The username that the client tries to authenticate will be matched against this. I chose the sAMAccountName, which is the Windows Logon Account. You could also choose to use the displayName, userPrincipalName, or any other LDAP attribute you choose.
group = This is the DN of the group that the user MUST belong to in order to login. Note: Full LDAP Path Required. (Does this need to be in the DN tree? I don' t believe so, can someone verify?)
filter = Once the group is found, it' s list of members is found using this query, which is ran against the group object itself. So, the above line first makes sure that the group is actually an AD Security Group, and then gets the list of all members. If the user trying to authenticate is in the list, access is granted, otherwise access is denied.
Well, I hope you enjoyed this write-up, it was painful but fun! With any luck, you will find this helpful and avoid needing too much asprin. :-)
Cheers!
48 REPLIES 48
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just make another LDAP user, and that' s it. Also update to MR7 v3.0
The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
The most expensive and scarce resource for man is time, paradoxically,
it' s infinite.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, laf. I' m already running Fortigate-100 3.00-b0741(MR7 Patch 5).
I' m sorry, I' m not sure what you mean. Should lines 1 & 2 be something like this, instead?:
config user ldap
edit " <ad-ldap>"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is getting annoying, you know?
First of all user Later edit BUTTON as you already spammed this thread.
Second don' t use brackets !
edit ldap1
edit <ldap1> it is not correct
The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
The most expensive and scarce resource for man is time, paradoxically,
it' s infinite.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, I got it, no brackets.
I tested authenticating the Fortigate " user" with ldap and got this error:
baxter # diagnose test authserver ldap ad_ldap Fortigate jk96gJ76
authenticate ' Fortigate' against ' ad_ldap' failed!
However, testing a real user succeeds:
baxter # diagnose test authserver ldap ad_ldap aholland 77jh23
authenticate ' aholland' against ' ad_ldap' succeeded!
In the FortiGate' s Web interface, under User > User Group, I have a group called " VPN_Clients" that previously contained local (FortiGate) users, and now I' ve added ad_ldap as a member, which certainly looks right, but still doesn' t work. That is, I' m still unable to establish VPN for anyone other than local users.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Put the Fortigate user which has to authenticate the others in the VPN Users container from Aliquot-Users.
P.S. I' m glad to see that you re using that LE button.
The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
The most expensive and scarce resource for man is time, paradoxically,
it' s infinite.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Getting closer. Now everyone, including the Fortigate " user" , succeeds the auth test, but still can' t login via the Web portal, except as local users.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, did you add the LDAP user to the SSL-VPN group ?
L.E. in order to test the authentication really works either you use as Xauth for Forticlient users, or (this one is far easy): create a FW rule internal to wan1 and use authentication, this time with a Firewall group which contains the LDAP user. If it works, means your auth is ok.
The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
The most expensive and scarce resource for man is time, paradoxically,
it' s infinite.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here are the commands I used to configure for LDAP:
config user ldap
edit " ad_ldap"
set server " 192.168.1.1"
set cnid " sAMAccountName"
set dn " OU=Aliquot-Users,DC=aliquot,DC=local"
set type regular
set username " Fortigate"
set password jk96gJ76
set group " CN=VPN Users,OU=Aliquot-Users,DC=aliquot,DC=local"
set filter " (&(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=aliquot,DC=local)(member=*))"
next
end
It wouldn' t accept my entry for password with " ENC" preceding it, so I removed it. Is that causing trouble?
I' ve added ad_ldap to the SSL VPN user group under User > User Group in the Web interface. It' s in the same group that the working local users are in.
I performed the firewall test for authentication. When I' m prompted to authenticate, I enter the Fortigate " user" or any of the real users and I' m told " authentication was successful" , but I' m never redirected to the requested web site, or any subsequent sites I attempt. I' m temporarily bypassing my web proxy with a rule that allows everything, which follows the rule that requires firewall authentication.
Update: I didn' t have NAT checked on the firewall auth rule. Now I authenticate successfully and get to the requested site, but initiating the SSL-VPN via the Web portal still fails.
Update: The SSL-VPN firewall rules were set to " Local" for User Authentication Method! LDAP auth seems to work now. Thanks for everyone' s help.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You enter the password in clear text. The FGT will encrypt it in the config, and prepend it with the " ENC" you saw elsewhere.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quick Note on Firmware Version v4.0.2,build0099,090407
The “User DN†must be in the following format.
user@domain.com
not
user
As the example shows.
Other than that this readme works 100%
Pay close attention to what S0crates, Jesús Cambera, and laf have said.
The following is my working config
config user ldap
edit " SSL Admins Group"
set server " 192.168.10.10" <-- IP address of my Active Directory Domain Controller
set cnid " sAMAccountName"
set dn " OU=Users,OU=remote,DC=company,DC=com"
set type regular
set username " fortigate@company.com" <-- Must have @company.com on the username
set password qwerty
set group " CN=SSL-Admins,OU=Security Groups,OU=remote,DC=company,DC=com"
set filter " (&(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=tririga,DC=com)(member=*))"
next
edit " SSL Users Group"
set server " 192.168.10.10" <-- IP address of my Active Directory Domain Controller
set cnid " sAMAccountName"
set dn " OU=Users,OU=remote,DC=company,DC=com"
set type regular
set username " fortigate@company.com" <-- Must have @company.com on the username
set password qwerty
set group " CN=SSL-Users,OU=Security Groups,OU=remote,DC=company,DC=com"
set filter " (&(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=tririga,DC=com)(member=*))"
next
end
Test using laf' s example
diagnose test authserver ldap <server_name> <username> <password>
diagnose test authserver ldap " SSL Admins Group" testUser qwerty <-- no @company.com on the username
On the SSL VPN Client you only need the username without the @company.com to login.
Note: Do not test with a user that has a ( ? ) in the password.
2 x 310B
v4.0,build0272,100331 (MR2)
HA ( Active Passive )
2 x 310B v4.0,build0272,100331 (MR2) HA ( Active Passive )
Related Posts
- Fortinet Single Sign On (FSSO) for... 225 Views
- VPN users to hitting the correct... 236 Views
- FortiGate VPN Web Filtering 315 Views
- FortiGate VPN with multiple outgoing Firewall... 442 Views
- Radius in serveur mode on five... 542 Views
Labels
-
FortiGate
6,541 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
243 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
Customer Service
70 -
FortiToken
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
Firewall policy
24 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiAuthenticator
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
SSL SSH inspection
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
Schedule
1 -
4.0MR1
1 -
SDN connector
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
FortiPAM
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
FortiManager-VM
1 -
Zone
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.