I have successfully managed to configure FortiGate captive portal authentication through an OpenLDAP server on a 60D firewall.
Now the problem I am facing is that I made it to work with individual users that reside on the OpenLDAP server.
What I am trying to accomplish now is instead of having to add the LDAP users on FortiGate individually, I would like to have a group on the FortiGate that points to the same LDAP group and any users in that LDAP group to be able to go through the captive portal.
I have setup the group on both FortiGate and LDAP but when I am trying to login on the captive portal with a user account that belongs to that group on the LDAP, it says Authentication Failed.
Any ideas?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
default FGT LDAP server config looks for 'MemberOf' LDAP attribute to catch group membership. OpenLDAP usually do not have group membership presented in this LDAP attribute.
Pay attention to 'group-member-check' and 'member-attr' in config user ldap / <LDAP-server> settings
For example you can do following for usual OpenLDAP
set group-member-check group-object
set group-object-filter (&(objectclass=posixgroup)(memberuid=*))
Best regards, Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Hello,
default FGT LDAP server config looks for 'MemberOf' LDAP attribute to catch group membership. OpenLDAP usually do not have group membership presented in this LDAP attribute.
Pay attention to 'group-member-check' and 'member-attr' in config user ldap / <LDAP-server> settings
For example you can do following for usual OpenLDAP
set group-member-check group-object
set group-object-filter (&(objectclass=posixgroup)(memberuid=*))
Best regards, Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Thanks for the reply Tomas!
I have added the set group-member-check group-object & set group-object-filter (&(objectclass=posixgroup)(memberuid=*)) as suggested but it did not make a difference...
I have also changed set member-attr "MemberOf" to the corresponding LDAP group which in this case is "WiFi-Users" but still no authentication...
any other thoughs?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.