I see that FortiGate requires certificates for secure LDAP. I do not want to introduce certificates on my domain. Is it possible to setup a port just for LDAP (unsecure) authentication for users logging into an SSL VPN and have a different port be for the internal network for the VPN?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Not following you. Let's back up a little since what you stated is NOT correct
I see that FortiGate requires certificates for secure LDAP
In correct, you can configure a LDAPS server and the fortigate can query against that LDAPS server ( 636 ) and does NOT need a client_certificate
So if you have a LDAPS server today and want to query it, just enable LDAPS in the config user ldap settings and be done with it.
e.g
config user ldap
edit LDAP1
set port 636
end
PCNSE
NSE
StrongSwan
emnoc wrote:All of the docs that I've read have mentioned exporting a certificate from a domain controller and importing it into the FortiGate to get LDAPS working. In the GUI, when I enable secure connection on the LDAP server setup page, leave the certificate drop down empty, save the config and then test the connection, the test fails. Is the command line configuration that you mentioned different than what I've done?Not following you. Let's back up a little since what you stated is NOT correct
I see that FortiGate requires certificates for secure LDAP
In correct, you can configure a LDAPS server and the fortigate can query against that LDAPS server ( 636 ) and does NOT need a client_certificate
So if you have a LDAPS server today and want to query it, just enable LDAPS in the config user ldap settings and be done with it.
e.g
config user ldap
edit LDAP1
set port 636
end
Again; You do NOT need to import a certificate for LDAPS.
login via cli
do a "show full user ldap" review the settings, review that the right port is enabled? Ensure that the ldap_client ( fgt ) is configured correct. Run cli cmd diag system sniffer any "port 636" and look for layer4 esatblishments
reference my jumpcloud post from a previous deployment
http://socpuppet.blogspot.com/2017/03/jump-cloud-ldap-with-fortigate-for-user.html
PCNSE
NSE
StrongSwan
emnoc wrote:It appears our DC isn't setup for LDAPS. We have other non-Windows appliances that are doing secure Windows authentication so I guess they're not using LDAPS? I'll need to dig on that though. Having said that, I'll see if I can explain my initial question a bit more clearly. Is the following scenario possible to configure on the FortiGate:Again; You do NOT need to import a certificate for LDAPS.
login via cli
do a "show full user ldap" review the settings, review that the right port is enabled? Ensure that the ldap_client ( fgt ) is configured correct. Run cli cmd diag system sniffer any "port 636" and look for layer4 esatblishments
reference my jumpcloud post from a previous deployment
http://socpuppet.blogspot.com/2017/03/jump-cloud-ldap-with-fortigate-for-user.html
Public interface to access the VPN (already done)
Private interface for the VPN to access the internal network (already done)
Third interface for just LDAP communication to domain controller (not done)
Basically, if I accept having unsecured LDAP communication, can I keep that separate from the internal interface for the VPN? My goal is so people logged into the VPN can't sniff the LDAP traffic and grab the plain text credentials.
firewall policy ultimately give access, so just make sure the clients are secured from firewall-policy. Since the fortigate is the AUTH-CLIENT and the MS-AD-COntrollers are your authenticator sources, restrict that traffic just between the two ( e.g fwpolicy, physical/logic, separation, etc.....)
But yes , LDAPS encrypts all traffic between the two. If your really paranoid enable radius NPS and use radius. The challenge is always encrypted by the radius-shared-secret.
Ken
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1698 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.