Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Roman_Trenev
New Contributor

VPN with LDAP authentication

Hello!

I'm looking for the best migration VPN service for remote users to fortigate. All remote users have been added to special group in AD. I have several domain controllers in three sites.

There is no difference for me to use l2tp/forticliient ssl/forticliient ipsec.

The first problem i've found - ms-chapv2 is requed to change password in AD

the second problem - two ldap servers can't be added to vpn policy to validate permission of remote access. So vpn is not working at all if i have several domain controller and the one is in maintenance.

the third problem - fsso user groups cannot have remote vpn access

the 4-th problem - l2tp can use pap only with ldap authentication

the 5-th problem - if i use radius - how shall i create users in firewall policies later to permit traffic?

 

So that is best practice to implement remote vpn access to one AD usergroup?

Fortigate 300d, 5.6

 

4 REPLIES 4
Toshi_Esumi
SuperUser
SuperUser

I have a comment on the client side or the protocol. Depending on where remote users are connecting from, I found some public/hotel WiFi internet were blocking IPSec. L2TP is not encrypted. So SSL VPN over TCP seems to be the best option if those are concerns.

emnoc
Esteemed Contributor III

The first problem i've found - ms-chapv2 is requed to change password in AS the second problem - two ldap servers can't be added to vpn policy to validate permission of remote access. So vpn is not working at all if i have several domain controller and the one is in maintenance. the third problem - fsso user group cannot have remote vpn access the 4-th problem - l2tp can use pap only with ldap authentication the 5-th problem - if i use radius - how shall i create users in firewall policies later to permit traffic?  

 

#1  what is "AS"

 

#2 that's incorrect, you apply the ldap-server in a group

 

#3  Not sure about that one, FSSO should not control a use VPN availability can you explain what you mean by that

#4  that might be correct  but I  believed I've used l2tp/ipsec wit ms-chap

 

#5  this make no sense, the  fwpolicy will have the  group define and that user group wil have the LDAP authen set.

 

e.g ( a sslvpn policy )

 

config firewall policy     edit 5         set srcintf "ssl.root"         set dstintf "lan"         set srcaddr "remote_all"         set dstaddr "Internal01" "Internal02"         set action accept         set schedule "always"         set service "COMMON1" "ALL_DC" "ALL_SAT_SRVCS"         set groups "GROUP01"     next end config user group     edit "GROUP01"         set member "SERVER10" "SERVER00"             config match                 edit 1                     set server-name "SERVER10"                     set group-name "CN=RemoteWarrier,CN=Users,DC=example,DC=com"                 next                 edit 2                     set server-name "SERVER20"                     set group-name "CN=RemoteWarrier,CN=Users,DC=example,DC=com"                 next             end     next end

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Roman_Trenev

emnoc wrote:

#1  what is "AS"

sorry, AD. i've edited the 1st post already.

 

emnoc wrote:

#2 that's incorrect, you apply the ldap-server in a group

I haven't found how several ldap-server can be added to one group.. The one way i've found is to create a firewall user groups and add each AD group several times via each ldap-server.

 

emnoc wrote:

 #3  Not sure about that one, FSSO should not control a use VPN availability can you explain what you mean by that

 

When FSSO is being configures you can add there several fsso agents in ONE fortigate object FSSO. It could be nice alternative to use ldap (

 

 

emnoc wrote:
#4  that might be correct  but I  believed I've used l2tp/ipsec wit ms-chap

Please read the manual, page 95

http://docs.fortinet.com/...-authentication-56.pdf

For PPTP, L2TP, and IPsec VPN chap is not supported for LDAP.

 

 

emnoc wrote:

#5  this make no sense, the  fwpolicy will have the  group define and that user group wil have the LDAP authen set.

 

Do you mean use ldap user groups in FW policies and anything else in VPN? I don't think it's conveniently (

 

 

emnoc
Esteemed Contributor III

#2

for group ldap-servers if that's what your asking that should be simple as the following using two-named  LDAP servers entries  LDAPAD1 LDAPAD2

 

 

config user group     edit "LDAPGR"         set member "LDAPAD1" "LDAPD2"     next end

For

 

 

#4  I didn't realize that CHAP is not allowed for  LDAP ,  but it makes since it's a challenge auth-protocol

 

#5 provide your  configurations on what your trying todo;

 

And lastly for #3,   FSSO that  uses MS-AD information,  so I'm not sure what  you mean LDAP, since the  group you define for single-sign on is a "FSSO" group-type.

 

" set group-type  fsso-service"

 

The default is a "firewall" group which is what/where you use in "firewall policies" btw

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors