Can you authenticate via an ldap user to the SSL web portal? Using 5.2.2 Forticlient. I just today set up the web portal, so something could definitely be misconfigured there. However, I created an SSL VPN Group, added the Domain Users group to it as a test from AD. Also created a local user called "test" and added it to that group. I can log in as 'test' but not as any user of AD.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
When you create your usergroup ensure that you have the ldap server configured under 'Remote groups' and that the correct AD group is selected.
You can always test your LDAP configuration and user credentials via the CLI using the diagnose test authserver ldap command.
fortigate # diagnose test authserver ldap ad-ldap myusername m4hp@ssw0rd
authenticate 'myusername' against 'ad-ldap' succeeded!
Group membership(s) - CN=sslusers,OU=Groups,DC=domain,DC=com
CN=Domain Users,CN=Users,DC=domain,DC=com
Yes, you can use LDAP groups/users for your SSLVPN logins.
First thing I would do is confirm that LDAP is configured correctly.
1. Ensure that the common name identifier you have configured maps to the username format you use for the SSL login.
2. When you click on Fetch DN you should be able to browse your LDAP structure
3. Test should show up as successful
When you create your usergroup ensure that you have the ldap server configured under 'Remote groups' and that the correct AD group is selected.
You can always test your LDAP configuration and user credentials via the CLI using the diagnose test authserver ldap command.
fortigate # diagnose test authserver ldap ad-ldap myusername m4hp@ssw0rd
authenticate 'myusername' against 'ad-ldap' succeeded!
Group membership(s) - CN=sslusers,OU=Groups,DC=domain,DC=com
CN=Domain Users,CN=Users,DC=domain,DC=com
ah-ha..
using your cli test, I realized that using my username would fail authentication, but if I use my Full Name i.e. "John Doe" ldap allowed me to login. Is that because im using CN as the Common Name Identifier?
How can you have a level of redundancy in the Windows Active Directory Authentication?
Under "Remote Groups" can I add a second AD Server and that second server would respond if the first server didn't?
Depends on how your environment is laid out.
Mike Pruett
I have mine setup for AD authentication. I am having an issue where adding my Domain Users are getting Permission Denied. However, my AD account, Administrator, all my test AD accounts can authenticate without issue. Doesn't matter what OU they are in.
In any case, here is my setup.
AD > Security Group > "SSL VPN Logins"
AD > New User > fortinet (used for LDAP Bind below).
Fortigate 100d > Authentication > LDAP Servers > Successfully configured my connection using my 'fortinet' user to authenticate. Test connection is successful.
Fortinet 100d > User > User Groups > New, "SSL VPN Sec Group".
[ul]Fortinet 100d > VPN > SSL > Settings > Authentication/Portal Mapping > Create New > Added the "SSL VPN Sec Group" for full access
Fortinet 100d > Policy and Objects > Policy > IPv4 > ssl.root - LAN > Added Source: *, Group: Added "SSL VPN Sec Group", Destination: Local LAN, Schedule: Always, Service: All, Accept.
My issue again is that Domain Administrator, my AD test accounts, my AD account all authenticate without issue. When I add another Domain User (that may already be logged into a Domain Computer somewhere) gets "Permission Denied". I am trying to narrow down when Domain Users receive rights from a Security Group (immediately or when they relogin. If the later, does being logged on an existing computer somewhere stop Security Group permissions being applied)?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.