Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiSASE Sovereign
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- RE: SSL VPN with LDAP and AD security groups
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL VPN with LDAP and AD security groups
New Fortigate 200B user here. We' re running 4.00 MR2. Have just gone through the setup process for an SSL VPN portal and its functioning fine. We are using LDAP authentication ... BUT ...
What we would like to do is place users in security groups in AD and have the SSL VPN authenticate on the basis of group membership. We tried for a couple of hours to get this to work, but unsuccessfully. In the end we had to settle for allowing VPN access for a whole OU. This is okay as a temporary measure, but it just doesn' t work with our AD structure.
Q1. is it possible to have SSL VPN LDAP authentication on the basis of AD security group membership?
Q2. if it is possible, is there a ' trick' to the config to make this work?
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using LDAP authentication with SSL-VPN on 4.0MR2. The way I have it, it' s a couple of steps:
1. In User->Remote->LDAP I query the OU, e.g., CN=Builtin,dc=example,dc=local
2. In User-User Group-User Group when you make the Firewall group to allow SSL-VPN access, you click Add for Remote authentication, select the LDAP server you created in step 1. Then there is a Group Name column which allows you to use a query to restrict access based on group membership. You use a Common Name Identifier to do so: e.g., cn=VPN Access Users,OU=Builtin,DC=example,DC=local.
Hope this helps. I barely understand LDAP but I know this works. I have two LDAP server entries configured to check a common VPN user group against two different OUs.
* The above example results in users logging in with their full name.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I' ll have another look at that as soon as I can. Do you have your security group in the same OU as the user objects? My AD OU structure looks like this:
COMPANY-SecurityGroups
-- Departments
---- Dept1
---- Dept 2
-- Firewall
-- Workflows
---- Workflow1
---- etc
COMPANY-Users
-- Head Office
---- Level 1
------ Dept1
------ Dept1
---- Level 2
---- etc
So the user objects live somewhere under COMPANY-Users and the security groups they belong to live under COMPANY-SecurityGroups.
EDIT: when I browse the LDAP structure from within the firewall, I can browse down to the Firewall OU under COMPANY-SecurityGroups, but it says " 0 objects" .
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your setup is a lot more complicated than mine! However, I *think* it can still work, because the Remote LDAP you create calls the OU, and then you do an independent call against that same server to find a group associated with a member of that OU.
This exhausts my knowledge of LDAP and AD scripting though, so I can' t contribute anymore help!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
only hinting:
- to query for user groups you need a dedicated LDAP account to which the FG authenticates first; then using these credentials it is able to search the tree
- please do a search on " LDAP" on all forums here, there have been several discussions lately on this subject.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I' m making some progress. I think my problem is likely two-fold. Things I need to test:
(1) the special user account I set up for LDAP searching from the Fortigate was a Schema Admin but not a Domain Admin, so I can change that; and
(2) this KB article (http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&externalId=FD32359) describes using a special filter (&(objectcategory=group)(member=*))
I' ve been stuck fixing SSL VPN issues the past 48 hours, and the next couple of days I' m working on our DR plan ... as soon as I have that sorted I will get back to this and see if I can sort it out.
Thanks for the help so far, much appreciated!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hola!
I had a problem when try to upgrade from 4.1.x to 4.2.2 with the LDAP servers. We had to upgrade because in 4.1.x we have only up to 10 LDAP server so up to 10 diferent groups and the customer want to configure more than 20 groups. In 4.2.2 we have create only a LDAP server and up to 100 user groups.
Here you have to be spetial careful with the LDAP server user access priv. of the user because this user have to " see" the " memberof" attribute of each user that will use the auth access.
I hope this help you.
BR,
Juan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried to post something detailed about how we got this working, but it timed out and the post was lost. Too much typing to do it again!
If someone wants to email or PM me, I would be happy to send them some screen caps from our firewall config which show how we set it up.
In summary though, the key was to:
(a) set up AD user account with AD Schema query rights;
(b) set up working LDAP connector at top level of our AD tree (see User, Remote, LDAP) which looks for " sAMAccountName" as Common Name Identifier;
(c) set up User Group of type Firewall, which allows SSL-VPN Access (tickbox) and which connects to the LDAP server (see Remote Server section at bottom of page) and which uses Specify with the name of the security group which holds the list of user accounts you want to give access to (the name is the AD name of the security group: e.g. CN=groupname,OU=myOU,OU=etc)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is a document entitled " SSL VPN authentication by Security Group using LDAP on Fortigate Firewall Appliances with 4.0 MR2" which is dated Dec 25 2010 ... our firewall consultant kindly gave me a printed copy ... this document can be viewed here:
http://network-security-software.biz/software/ssl-vpn-authentication-by-security-group-using-ldap-on-fortigate-firewall-appliances-with-4-0-mr2.html
That' s a step-by-step on setting it up.
Labels
-
FortiGate
10,803 -
FortiClient
2,214 -
FortiManager
905 -
FortiAnalyzer
690 -
5.2
687 -
5.4
638 -
FortiSwitch
597 -
FortiClient EMS
585 -
FortiAP
568 -
IPsec
445 -
6.0
416 -
SSL-VPN
394 -
FortiMail
380 -
5.6
362 -
FortiNAC
299 -
FortiWeb
258 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
206 -
FortiAuthenticator
186 -
FortiGuard
161 -
5.0
152 -
Firewall policy
150 -
FortiGate-VM
141 -
6.4
128 -
FortiCloud Products
120 -
FortiToken
115 -
FortiSIEM
113 -
FortiGateCloud
112 -
Wireless Controller
96 -
High Availability
93 -
Customer Service
88 -
ZTNA
80 -
FortiProxy
79 -
SAML
78 -
Routing
78 -
BGP
74 -
Fortivoice
73 -
DNS
73 -
VLAN
73 -
FortiEDR
71 -
Authentication
71 -
FortiADC
69 -
Certificate
69 -
LDAP
65 -
RADIUS
63 -
FortiLink
59 -
SSO
57 -
NAT
57 -
FortiSandbox
55 -
FortiExtender
52 -
Interface
50 -
VDOM
50 -
4.0MR3
49 -
Application control
48 -
Virtual IP
45 -
FortiDNS
43 -
Logging
43 -
SSL SSH inspection
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
37 -
Web profile
36 -
FortiConnect
35 -
Automation
35 -
FortiWAN
31 -
FortiConverter
31 -
API
29 -
FortiGate v5.2
28 -
Fortigate Cloud
27 -
Traffic shaping
26 -
Static route
26 -
SNMP
25 -
SSID
25 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
System settings
22 -
WAN optimization
22 -
FortiMonitor
21 -
OSPF
21 -
Security profile
19 -
Web application firewall profile
19 -
Web rating
19 -
IP address management - IPAM
19 -
FortiSOAR
18 -
FortiAP profile
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
Explicit proxy
16 -
Admin
15 -
IPS signature
15 -
Proxy policy
15 -
Intrusion prevention
15 -
FortiManager v4.0
14 -
FortiCASB
14 -
NAC policy
14 -
DNS filter
13 -
Users
13 -
FortiManager v5.0
12 -
FortiDeceptor
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiBridge
11 -
FortiRecorder
11 -
Trunk
11 -
Authentication rule and scheme
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
Traffic shaping profile
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
Application signature
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiNDR
6 -
DoS policy
6 -
FortiCarrier
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
Email filter profile
5 -
Protocol option
5 -
TACACS
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiAI
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiEdge Cloud
3 -
FortiInsight
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2727 | |
| 1416 | |
| 810 | |
| 738 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.