regards
/ Abel
Company_Fortigate_~ # show user ldap config user ldap edit " Company_LDAP_IT_Teknik" set server " IP.of.LDAP.Server" set cnid " sAMAccountName" set dn " DC=domain,DC=local" set type regular set username " CN=LdapAccount,CN=users,DC=domain,DC=local" set password ENC EncryptedPassword set filter " (&(objectcategory=user)(memberOf=CN=VPNUSERS,OU=Groups,OU=Company,DC=domain,DC=Local))" next endBut all users, regardless of group membership are permitted to login - that should no be the case.
Company_Fortigate_~ # diag test auth ldap Company_LDAP_IT_Teknik administrator LongAndDifficultPasswordWhichHasBeenRemoved! authenticate ' administrator' against ' Company_LDAP_IT_Teknik' succeeded!Login through FortClient works just fine as well It appears to be exactly the same situation as referenced in this posthttp://support.fortinet.com/forum/tm.asp?m=56998 I need to be able to [ol]
# set group-type type of user group sslvpn-tunnel Enable/disable SSLVPN tunnel sslvpn-tunnel-startip Start IP in IP pool sslvpn-tunnel-endip End IP in IP pool sslvpn-split-tunneling Enable/disable SSLVPN split tunneling sslvpn-webapp Enable/disable SSLVPN web application sslvpn-http Enable/disable SSLVPN http/https proxy sslvpn-telnet Enable/disable SSLVPN telnet sslvpn-ftp Enable/disable SSLVPN ftp sslvpn-samba Enable/disable SSLVPN SMB/CIFS sslvpn-vnc Enable/disable SSLVPN vnc sslvpn-rdp Enable/disable SSLVPN rdp sslvpn-portal-heading SSLVPN portal heading message sslvpn-client-check SSLVPN Client security checking sslvpn-os-check Enable/disable SSLVPN OS check sslvpn-cache-cleaner Enable/disable SSLVPN cache cleaner sslvpn-bookmarks-group SSLVPN bookmarks group redir-url SSLVPN Client login redirect URL member set group membersSo both suggested options would appear to be unavailable in OS3MR6 :-( Gotta go talk to somebody about upgrading... Sincerely Mikkel Andreasen
config user radius edit <server_name> set all-usergroup disable ... set server <primary_ip_address> set secret <primary_password> set use-group-for-profile <group_profile_select> endAs you can define up to 10 RADIUS instances you could bind up to 10 user groups to the same server. You' d have to experiment with this a bit I guess.
Company_Fortigate_~ (LDAPSERVER) # Company_Fortigate_~ (LDAPSERVER) # show config user ldap edit " LDAPSERVER" set server " LDAPSERVER.DOMAIN.local" set cnid " sAMAccountName" set dn " OU=Company,DC=DOMAIN,DC=local" set type regular set username " ldapforti" set password ENC xXNEEZwa7UWa9j0EW8KnPplqfJ7blLDuj5y8xFFZOMSl8ZXEKaW1TzXVBeElUwpEV088Kc0Nhv3432430hLAEIs3Sn23v3PPPsG2LuG+XpE7td5ZqS87fL set group " CN=VPN-Company-Konsulent,OU=Company,DC=DOMAIN,DC=local" set filter " (&(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=DOMAIN,DC=local)(member=*))" next endBut no matter what user I attempt to authenticate with I' m allowed access. Regardless of groupmembership. Looking at the Wireshark dumps I was puzzled by two things 1. that the name of the group never appeared 2. all LDAP binds are of type " simple" as opposed to " regular" In the beginnging I had an error in the " set filter" line (wrong domain name), and all authentication was working just fine... I don' t get it... /mikkel
config user ldap edit " LDAP-COMPANY-Konsulent" set server " IP.ADDRESS.OF.DC" set cnid " sAMAccountName" set dn " DC=DOMAIN,dc=local" set type regular set username " CN=Ldapforti,OU=COMPANY,DC=DOMAIN,DC=local" set password ENCODEDPASSWORD set group " CN=VPNGROUP,OU=COMPANY,DC=DOMAIN,DC=local" next ENDWhich I thought I had attempted several times, but apparently took a while to finally nail down... live and learn. Thank you all for you assistance and patience! /mikkel
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.