- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiAuthenticator LDAP auth and password change over SSL VPN
Hello guys!
I already implemented a solution with FortiGate and LDAP (via LDAPS) in which it's possible for users to change the password with the SSL VPN Client if it is expired so I hope there is an FortiAuthenticator solution.
config user ldap
edit <server_name>
set password-expiry-warning {disable | enable}
set password-renewal {disable | enable}
...
end
I'm searching for a solution in which the same is possible but the FortiGate isn't connected to an LDAP server but instead to an FortiAuthenticator via RADIUS (dynamic FortiToken Mobile assigning) which gets the User Information from the LDAP server (via LDAPS). I only found the Self Service Portal which provides this feature but this doesn't meet the customer expectations.
Do you have any experience with this? Thank you.
Kind Regards, Maximilian
Solved! Go to Solution.
- Labels:
-
5.0
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear xsilver_FTNT
I have the same situation as in this topic.
I have FAC (5.5.0) connected via LDAPS to AD.
FAC is Radius server to FGT (6.0.2) - MSCHAPv2.
SSL VPN users are connecting to FGT which takes credentials from FAC radius server (and FAC takes by LDAPS from AD).
Normal users with time valid password can establish vpn connect and everything works fine.
Users with expired password has to change their password, but instead of form to password change in FortiClient I have error about wrong credentials.
I know there should be displaye form to change password because when I used LDAP authentication on FGT (FGT connected to AD directly without FAC), it works.
As I said, I have wrong credentials error in FortiClient, but FAC is aware of need to change password because I see that in FAC logs:
1. Windows AD user authentication(mschap) with no token failed: user password change required
and from /debug logs:
1. Module-Failure-Message: mschap: External script says Must change password (0xc0000224)
2. Remote Windows AD user password reset required
3. Updated auth log 'tmp': Windows AD user authentication(mschap) with no token failed: user password change required
Do you know what may be a problem that I cannot change password in this setup? I would appreciate any help.
The problem is solved: I just had to set password-renewal in radius configuration on FGT...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Maxmilian
that should work for SSL VPN terminated on FGT as well.
If LDAP has for example set that user has to change password next logon, it should propagate to FAC and then via RADIUS challenge requests to the RADIUS client (FGT) and to actual client/user.
This should work since some 4.2.1 FAC and 5.4.4 FGT
RADIUS should be MSCHAPv2
and FAC to LDAP with Kerberos (Windows Active Directory Domain Authentication) or LDAPS
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear xsilver_FTNT
I have the same situation as in this topic.
I have FAC (5.5.0) connected via LDAPS to AD.
FAC is Radius server to FGT (6.0.2) - MSCHAPv2.
SSL VPN users are connecting to FGT which takes credentials from FAC radius server (and FAC takes by LDAPS from AD).
Normal users with time valid password can establish vpn connect and everything works fine.
Users with expired password has to change their password, but instead of form to password change in FortiClient I have error about wrong credentials.
I know there should be displaye form to change password because when I used LDAP authentication on FGT (FGT connected to AD directly without FAC), it works.
As I said, I have wrong credentials error in FortiClient, but FAC is aware of need to change password because I see that in FAC logs:
1. Windows AD user authentication(mschap) with no token failed: user password change required
and from /debug logs:
1. Module-Failure-Message: mschap: External script says Must change password (0xc0000224)
2. Remote Windows AD user password reset required
3. Updated auth log 'tmp': Windows AD user authentication(mschap) with no token failed: user password change required
Do you know what may be a problem that I cannot change password in this setup? I would appreciate any help.
The problem is solved: I just had to set password-renewal in radius configuration on FGT...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I can't connect via FAC - LDAPS to AD. I can't connect to FGT to radius server FAC with MSCAPv2. LDAP connection and default radius Authentication method is OK. Could you help me please?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey :).
Regarding Fortigate using MS-CHAPv2 with FortiAuthenticator, the Authenticator needs to be joined to the domain (you can enable this in the remote server > LDAP settings).
Regarding the LDAPS connection not working, this usually happens if FortiAuthenticator does not trust the LDAP server's certificate for some reason. Do you get any error messages when you try to browse LDAP with LDAPS enabled?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1- I joined the domain and i can see it running on monitor menu.
2- Yes When i browse i get error about certificate like that. I export domain root certificate and export on FAC. I selected the this certificate. But no way. What can i do?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If there is an intermediate certificate that actually signed the LDAP server cert, you might need to import and set that on FortiAuthenticator instead of the domain root certificate; FortiAuthenticator can be a bit finicky about that.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you were right. was using a different certificate. this problem is solved. I was able to connect with ldaps without any problems. another problem I have is MS-CHAP- V2. I cannot make Radius connection between Fortigate firewall and FAC with MS-CHAP-v2. Actually connection status shows successful but not working. What should I pay attention to?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If FortiAuthenticator is joined to the domain - have you enabled Windows AD authentication in the RADIUS policy? that also needs to be toggled on for MS-CHAPv2 to work.
If both are in place (domain join and WinAD auth enabled in RADIUS policy) I would suggest looking at FortiAuthenticator logs under Logging section, and RADIUS debug under https://<FAC>/debug/radius
Either should provide additional detail as to why MS-CHAPv2 might be failing
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I joined the domain and there is no problem. but where should I check in the policy for windows name domain authanticate, could you send screenshot?