Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sensorsinc
New Contributor III

WiFi Authentication Problem

Hello! When I setup my SSL VPN authentication, I setup LDAP (User->Remote->LDAP) to connect to my Windows 2003 SP2 DC. In User->User I set a username for each person and set them to " match user on LDAP server" . I created a Firewall group that allows SSL-VPN access and added everyone to it. Besides having to use the AD full name (Fred Smith) instead of username (fsmith), everything works great. So when I went to setup the authentication for my WPA2-Enterprise WiFi network, I created a new group just for WiFi users. I added the same users that were in the SSL VPN group. And gave it shot, but I can' t seem to get authenticated. I tried all different kinds of combinations of full name, username, with and without domain, and I can' t get connected. So I created a test user with a password stored on the firewall and added it to the newly created group for WiFi users. That account works. I just can' t get the ldap users to authenticate when making a WiFi connection. Anyone have any tips? Would also be curious to know how to get the SSL VPN authentication to use username instead of full name, but that is very minor. Thanks, Jamie!
7 REPLIES 7
Matthijs
New Contributor II

For the SSL-VPN: use sAMAccountName at Common Name Identifier in the LDAP server config in your FortiGate. Never used ldap for FortiWifi, sorry ;) Should not be to hard i gues. What software version do you use?
sensorsinc
New Contributor III

Thanks Matthijs, sAMAccountName did the trick! It fixed the username vs full name. Still no luck with the WiFi. Firewall FW - 4.0, build0441,110318 (MR3) FortiAP FW - FAP21B-v4.0-build214
rwpatterson
Valued Contributor III

What firmware version are you running?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
romanr
Valued Contributor

For WPA2-Enterprise authentication you will need to use Radius... All that EAP handling cannot get transported over ldap!! Install IAS(W2k3)/NPS(W2k8) on your domain controllers and use the radius server from windows! best regards, Roman
sensorsinc
New Contributor III

Thanks for the info Roman!
sensorsinc

I started re-reading the Deploying Wireless Networks document to learn more about RADIUS and there are several lines that seem to indicate that LDAP is supported. Documentation being documentation, I opened a support ticket. Thanks for all the help and I will report back when I hear from tech support.
sensorsinc

I learned a few things from tech support. 1. I don' t need to create indiviaual users on the FortiGate for SSL VPN. I only needed to add the LDAP server to the SSL VPN group. 2. Captive Portal is capable of authenticating with LDAP, but not sure if that exchange is encrypted. 3. While LDAP can be used for SSL VPN, SSL VPN portal, via console, and Captive Portal, it can' t, and according to the devs won' t ever, be used for WiFi because LDAP doesn' t allow password retreival. 4. The choices for WiFi authentication are captive portal, local users on FortiGate, WPA2-Personal (pre-shared key), and RADIUS. Thanks everyone!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors