Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
deny_all
New Contributor

Port only for LDAP Authentication

I see that FortiGate requires certificates for secure LDAP. I do not want to introduce certificates on my domain. Is it possible to setup a port just for LDAP (unsecure) authentication for users logging into an SSL VPN and have a different port be for the internal network for the VPN?

5 REPLIES 5
emnoc
Esteemed Contributor III

Not following you. Let's  back up  a little since what you stated is NOT correct

 

I see that FortiGate requires certificates for secure LDAP

 

In correct, you can  configure a LDAPS server and the fortigate  can query against that LDAPS server ( 636 )  and does NOT need a client_certificate

 

So if you have a LDAPS server today and want to query it, just enable LDAPS in the config  user ldap  settings and  be done with it.

 

e.g

 

config user ldap

edit LDAP1

    set port 636

end

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
deny_all
New Contributor

emnoc wrote:

Not following you. Let's  back up  a little since what you stated is NOT correct

 

I see that FortiGate requires certificates for secure LDAP

 

In correct, you can  configure a LDAPS server and the fortigate  can query against that LDAPS server ( 636 )  and does NOT need a client_certificate

 

So if you have a LDAPS server today and want to query it, just enable LDAPS in the config  user ldap  settings and  be done with it.

 

e.g

 

config user ldap

edit LDAP1

    set port 636

end

 

All of the docs that I've read have mentioned exporting a certificate from a domain controller and importing it into the FortiGate to get LDAPS working. In the GUI, when I enable secure connection on the LDAP server setup page, leave the certificate drop down empty, save the config and then test the connection, the test fails. Is the command line configuration that you mentioned different than what I've done?

emnoc
Esteemed Contributor III

Again; You do NOT need to   import a certificate for  LDAPS.

 

login via cli

 

do a  "show full  user ldap" review the settings, review that the right port is enabled?  Ensure that the  ldap_client ( fgt ) is configured correct.  Run cli cmd  diag system sniffer any "port 636" and look for layer4 esatblishments

 

 

reference  my jumpcloud   post from a previous deployment

 

http://socpuppet.blogspot.com/2017/03/jump-cloud-ldap-with-fortigate-for-user.html

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
deny_all
New Contributor

emnoc wrote:

Again; You do NOT need to   import a certificate for  LDAPS.

 

login via cli

 

do a  "show full  user ldap" review the settings, review that the right port is enabled?  Ensure that the  ldap_client ( fgt ) is configured correct.  Run cli cmd  diag system sniffer any "port 636" and look for layer4 esatblishments

 

 

reference  my jumpcloud   post from a previous deployment

 

http://socpuppet.blogspot.com/2017/03/jump-cloud-ldap-with-fortigate-for-user.html

 

It appears our DC isn't setup for LDAPS. We have other non-Windows appliances that are doing secure Windows authentication so I guess they're not using LDAPS? I'll need to dig on that though. Having said that, I'll see if I can explain my initial question a bit more clearly. Is the following scenario possible to configure on the FortiGate:

 

Public interface to access the VPN (already done)

Private interface for the VPN to access the internal network (already done)

Third interface for just LDAP communication to domain controller (not done)

 

Basically, if I accept having unsecured LDAP communication, can I keep that separate from the internal interface for the VPN? My goal is so people logged into the VPN can't sniff the LDAP traffic and grab the plain text credentials.

emnoc
Esteemed Contributor III

firewall policy ultimately give   access, so just make sure the clients are secured from  firewall-policy. Since the fortigate is the AUTH-CLIENT and the   MS-AD-COntrollers are your authenticator sources,  restrict that traffic just between the two ( e.g fwpolicy,  physical/logic, separation, etc.....)

 

But yes , LDAPS encrypts all traffic between the two. If your really paranoid enable radius NPS and use radius. The challenge is always encrypted by the  radius-shared-secret.

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors