Hello everyone,
I would like to performe an authentication in wifi WPA2 Enterprise environment, not with a Radius server but directly to LDAP server ( a OPEN LDAP ).
I create a local group with LDAP server but not working . In an article in the 2011 told that was impossible cause the WPA2 Enterprise protocol with Windows AD LDAP but was right for OPEN LDAP ( https://community.fortinet.com/t5/FortiAP/Technical-Tip-FortiOS-LDAP-and-WiFi-WPA-WPA2-enterprise-se... )
I have another SSID that works with WINDOWS AD LDAP but in a Radius Server install in a Network Policy Server on a Windows Server.
I have also a FortiAuthenticator and I use it to performe an authentication trought Radius Server ( FAC ) and the LDAP but also not working.
Someone have any idea?
Thank you guys
Fabio
Solved! Go to Solution.
Hi Fabio,
I assume the FortiGate is directly talking to the LDAP to authenticate the users, is that right? (i.e. this is not going through FAC)
If so, which authentication method are the wireless clients configured to use? Realistically speaking, only EAP-TTLS with PAP inside is expected to work (try it if you haven't yet! :) ).
MSCHAPv2 based methods, such as EAP-PEAP are unlikely to work, since they require the LDAP server to be willing to give the user's plaintext password, or its NT-Hash, to the FortiGate (this is the limitation the KB article you linked alludes to). MS AD LDAP is known to never allow this under any circumstances, and I would hope that your OpenLDAP variant also is not willing to give out such sensitive information.
Thank you pminarik,
I didn't try to EAP-TLLS with PAP.. normally I tried with the default method EAP_PEAP .. Tomorrow I will try :) I hope work .. my only problems is with iPhone iOS that I don't know if can I change between MSCHAPv2 to PAP.. will see..
Fabio
Hi Pminarik,
yes with Windows device WORKS, but for other device like Mac, iPhone and iOS in generaly the authentication method EAP-TLLS PAP it's not available..
:(
Then I'm afraid you've hit a crossroads.
You can either try to figure out how to force those Apple clients to request EAP-TTLS(PAP) (seems like some MDM settings do exist for it), or you will have to go back to RADIUS and EAP-PEAP(MSCHAPv2).
As far as FortiAuthenticator goes, it by default has the exact same limitation. When utilizing a general remote LDAP server as the user back-end, only EAP-TTLS(PAP) is assured to work.
It can support MSCHAPv2 (~> PEAP), but this is implemented by joining the FAC to the Windows AD domain (so unlikely to be relevant to your OpenLDAP environment), which allows it to verify the MSCHAPv2 credentials provided by the supplicant through SMB-based communication to the domain controller.
The crux of the issue is that the LDAP protocol does not support MSCHAPv2 authentication. As a consequence any originally EAP or RADIUS authentication that then proxies further to LDAP has to deal with, or avoid, this limitation in one way or another, as it is not possible to translate the MSCHAPv2 payloads into a usable LDAP bindRequest.
We have succeeded :)
with Smart Connect Profile.
Through a Self-Service portal in FortiAuthenticator we were able to have the Smart Connect downloaded and installed in each device. In Smart Connect Profile you can set each parameter of your WIFI.
It's amazing and very easy.
I would love it if I had time to do a tutorial guide, if it can be useful.
Thank you pminarik
Fabio
That's a very neat idea to use the FAC to let your Apple devices pull the SSID profile. Glad you figured it out! :)
We
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1751 | |
1114 | |
766 | |
447 | |
241 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.