- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Port only for LDAP Authentication
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Port only for LDAP Authentication
I see that FortiGate requires certificates for secure LDAP. I do not want to introduce certificates on my domain. Is it possible to setup a port just for LDAP (unsecure) authentication for users logging into an SSL VPN and have a different port be for the internal network for the VPN?
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not following you. Let's back up a little since what you stated is NOT correct
I see that FortiGate requires certificates for secure LDAP
In correct, you can configure a LDAPS server and the fortigate can query against that LDAPS server ( 636 ) and does NOT need a client_certificate
So if you have a LDAPS server today and want to query it, just enable LDAPS in the config user ldap settings and be done with it.
e.g
config user ldap
edit LDAP1
set port 636
end
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc wrote:All of the docs that I've read have mentioned exporting a certificate from a domain controller and importing it into the FortiGate to get LDAPS working. In the GUI, when I enable secure connection on the LDAP server setup page, leave the certificate drop down empty, save the config and then test the connection, the test fails. Is the command line configuration that you mentioned different than what I've done?Not following you. Let's back up a little since what you stated is NOT correct
I see that FortiGate requires certificates for secure LDAP
In correct, you can configure a LDAPS server and the fortigate can query against that LDAPS server ( 636 ) and does NOT need a client_certificate
So if you have a LDAPS server today and want to query it, just enable LDAPS in the config user ldap settings and be done with it.
e.g
config user ldap
edit LDAP1
set port 636
end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Again; You do NOT need to import a certificate for LDAPS.
login via cli
do a "show full user ldap" review the settings, review that the right port is enabled? Ensure that the ldap_client ( fgt ) is configured correct. Run cli cmd diag system sniffer any "port 636" and look for layer4 esatblishments
reference my jumpcloud post from a previous deployment
http://socpuppet.blogspot.com/2017/03/jump-cloud-ldap-with-fortigate-for-user.html
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc wrote:It appears our DC isn't setup for LDAPS. We have other non-Windows appliances that are doing secure Windows authentication so I guess they're not using LDAPS? I'll need to dig on that though. Having said that, I'll see if I can explain my initial question a bit more clearly. Is the following scenario possible to configure on the FortiGate:Again; You do NOT need to import a certificate for LDAPS.
login via cli
do a "show full user ldap" review the settings, review that the right port is enabled? Ensure that the ldap_client ( fgt ) is configured correct. Run cli cmd diag system sniffer any "port 636" and look for layer4 esatblishments
reference my jumpcloud post from a previous deployment
http://socpuppet.blogspot.com/2017/03/jump-cloud-ldap-with-fortigate-for-user.html
Public interface to access the VPN (already done)
Private interface for the VPN to access the internal network (already done)
Third interface for just LDAP communication to domain controller (not done)
Basically, if I accept having unsecured LDAP communication, can I keep that separate from the internal interface for the VPN? My goal is so people logged into the VPN can't sniff the LDAP traffic and grab the plain text credentials.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
firewall policy ultimately give access, so just make sure the clients are secured from firewall-policy. Since the fortigate is the AUTH-CLIENT and the MS-AD-COntrollers are your authenticator sources, restrict that traffic just between the two ( e.g fwpolicy, physical/logic, separation, etc.....)
But yes , LDAPS encrypts all traffic between the two. If your really paranoid enable radius NPS and use radius. The challenge is always encrypted by the radius-shared-secret.
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Related Posts
Labels
-
FortiGate
6,590 -
FortiClient
1,314 -
5.2
801 -
5.4
639 -
FortiManager
570 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiSwitch
338 -
FortiAP
337 -
FortiClient EMS
268 -
6.2
251 -
FortiMail
246 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
108 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
72 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
62 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
26 -
Firewall policy
25 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
LDAP
11 -
VDOM
11 -
Logging
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Application control
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.