Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sensorsinc
New Contributor III

Created on ‎05-23-2011 12:37 PM

WiFi Authentication Problem

Hello! When I setup my SSL VPN authentication, I setup LDAP (User->Remote->LDAP) to connect to my Windows 2003 SP2 DC. In User->User I set a username for each person and set them to " match user on LDAP server" . I created a Firewall group that allows SSL-VPN access and added everyone to it. Besides having to use the AD full name (Fred Smith) instead of username (fsmith), everything works great. So when I went to setup the authentication for my WPA2-Enterprise WiFi network, I created a new group just for WiFi users. I added the same users that were in the SSL VPN group. And gave it shot, but I can' t seem to get authenticated. I tried all different kinds of combinations of full name, username, with and without domain, and I can' t get connected. So I created a test user with a password stored on the firewall and added it to the newly created group for WiFi users. That account works. I just can' t get the ldap users to authenticate when making a WiFi connection. Anyone have any tips? Would also be curious to know how to get the SSL VPN authentication to use username instead of full name, but that is very minor. Thanks, Jamie!
4282
0 Kudos
7 REPLIES 7
Matthijs
New Contributor II

Created on ‎05-24-2011 12:35 AM

For the SSL-VPN: use sAMAccountName at Common Name Identifier in the LDAP server config in your FortiGate. Never used ldap for FortiWifi, sorry ;) Should not be to hard i gues. What software version do you use?
3138
0 Kudos
sensorsinc
New Contributor III
In response to Matthijs

Created on ‎05-24-2011 07:36 AM

Thanks Matthijs, sAMAccountName did the trick! It fixed the username vs full name. Still no luck with the WiFi. Firewall FW - 4.0, build0441,110318 (MR3) FortiAP FW - FAP21B-v4.0-build214
3139
0 Kudos
rwpatterson
Valued Contributor III

Created on ‎05-24-2011 05:11 AM

What firmware version are you running?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
3130
0 Kudos
romanr
Valued Contributor

Created on ‎05-24-2011 08:04 AM

For WPA2-Enterprise authentication you will need to use Radius... All that EAP handling cannot get transported over ldap!! Install IAS(W2k3)/NPS(W2k8) on your domain controllers and use the radius server from windows! best regards, Roman
3130
0 Kudos
sensorsinc
New Contributor III
In response to romanr

Created on ‎05-24-2011 08:32 AM

Thanks for the info Roman!
3130
0 Kudos
sensorsinc
New Contributor III
In response to sensorsinc

Created on ‎05-24-2011 12:06 PM

I started re-reading the Deploying Wireless Networks document to learn more about RADIUS and there are several lines that seem to indicate that LDAP is supported. Documentation being documentation, I opened a support ticket. Thanks for all the help and I will report back when I hear from tech support.
3130
0 Kudos
sensorsinc
New Contributor III
In response to sensorsinc

Created on ‎05-26-2011 08:39 AM

I learned a few things from tech support. 1. I don' t need to create indiviaual users on the FortiGate for SSL VPN. I only needed to add the LDAP server to the SSL VPN group. 2. Captive Portal is capable of authenticating with LDAP, but not sure if that exchange is encrypted. 3. While LDAP can be used for SSL VPN, SSL VPN portal, via console, and Captive Portal, it can' t, and according to the devs won' t ever, be used for WiFi because LDAP doesn' t allow password retreival. 4. The choices for WiFi authentication are captive portal, local users on FortiGate, WPA2-Personal (pre-shared key), and RADIUS. Thanks everyone!
3130
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.