Hello!
I'm looking for the best migration VPN service for remote users to fortigate. All remote users have been added to special group in AD. I have several domain controllers in three sites.
There is no difference for me to use l2tp/forticliient ssl/forticliient ipsec.
The first problem i've found - ms-chapv2 is requed to change password in AD
the second problem - two ldap servers can't be added to vpn policy to validate permission of remote access. So vpn is not working at all if i have several domain controller and the one is in maintenance.
the third problem - fsso user groups cannot have remote vpn access
the 4-th problem - l2tp can use pap only with ldap authentication
the 5-th problem - if i use radius - how shall i create users in firewall policies later to permit traffic?
So that is best practice to implement remote vpn access to one AD usergroup?
Fortigate 300d, 5.6
I have a comment on the client side or the protocol. Depending on where remote users are connecting from, I found some public/hotel WiFi internet were blocking IPSec. L2TP is not encrypted. So SSL VPN over TCP seems to be the best option if those are concerns.
The first problem i've found - ms-chapv2 is requed to change password in AS the second problem - two ldap servers can't be added to vpn policy to validate permission of remote access. So vpn is not working at all if i have several domain controller and the one is in maintenance. the third problem - fsso user group cannot have remote vpn access the 4-th problem - l2tp can use pap only with ldap authentication the 5-th problem - if i use radius - how shall i create users in firewall policies later to permit traffic?
#1 what is "AS"
#2 that's incorrect, you apply the ldap-server in a group
#3 Not sure about that one, FSSO should not control a use VPN availability can you explain what you mean by that
#4 that might be correct but I believed I've used l2tp/ipsec wit ms-chap
#5 this make no sense, the fwpolicy will have the group define and that user group wil have the LDAP authen set.
e.g ( a sslvpn policy )
config firewall policy edit 5 set srcintf "ssl.root" set dstintf "lan" set srcaddr "remote_all" set dstaddr "Internal01" "Internal02" set action accept set schedule "always" set service "COMMON1" "ALL_DC" "ALL_SAT_SRVCS" set groups "GROUP01" next end config user group edit "GROUP01" set member "SERVER10" "SERVER00" config match edit 1 set server-name "SERVER10" set group-name "CN=RemoteWarrier,CN=Users,DC=example,DC=com" next edit 2 set server-name "SERVER20" set group-name "CN=RemoteWarrier,CN=Users,DC=example,DC=com" next end next end
PCNSE
NSE
StrongSwan
emnoc wrote:sorry, AD. i've edited the 1st post already.#1 what is "AS"
emnoc wrote:#2 that's incorrect, you apply the ldap-server in a group
I haven't found how several ldap-server can be added to one group.. The one way i've found is to create a firewall user groups and add each AD group several times via each ldap-server.
emnoc wrote:#3 Not sure about that one, FSSO should not control a use VPN availability can you explain what you mean by that
When FSSO is being configures you can add there several fsso agents in ONE fortigate object FSSO. It could be nice alternative to use ldap (
emnoc wrote:
#4 that might be correct but I believed I've used l2tp/ipsec wit ms-chap
Please read the manual, page 95
http://docs.fortinet.com/...-authentication-56.pdf
For PPTP, L2TP, and IPsec VPN chap is not supported for LDAP.
emnoc wrote:#5 this make no sense, the fwpolicy will have the group define and that user group wil have the LDAP authen set.
Do you mean use ldap user groups in FW policies and anything else in VPN? I don't think it's conveniently (
#2
for group ldap-servers if that's what your asking that should be simple as the following using two-named LDAP servers entries LDAPAD1 LDAPAD2
config user group edit "LDAPGR" set member "LDAPAD1" "LDAPD2" next end
For
#4 I didn't realize that CHAP is not allowed for LDAP , but it makes since it's a challenge auth-protocol
#5 provide your configurations on what your trying todo;
And lastly for #3, FSSO that uses MS-AD information, so I'm not sure what you mean LDAP, since the group you define for single-sign on is a "FSSO" group-type.
" set group-type fsso-service"
The default is a "firewall" group which is what/where you use in "firewall policies" btw
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.