Before starting on the FortiGate, ensure that a user on the JumpCloud side has been enabled as an LDAP Bind DN (any valid Jumpcloud user may be used for this role). The FortiGate will use this account to authenticate itself to JumpCloud before it can authenticate other users via LDAP. Refer to the following external documentation for configuring JumpCloud as a cloud LDAP server: https://jumpcloud.com/support/use-cloud-ldap

Once an LDAP Binding user has been set on the JumpCloud side, the FortiGate can be configured for LDAP. Navigate to User & Authentication -> LDAP Servers, create a new entry and populate it with the following information:

Name: JumpCloud_LDAP (or any appropriate name)

Server IP/Name: ldap.jumpcloud.com

Server Port: 636 or 389

• LDAPS or STARTTLS; plaintext LDAP is not allowed.

Common Name Identifier: uid

• Corresponds to JumpCloud username (not the user's full email address).

Distinguished Name: ou=Users,o=<YOUR_ORG_ID>,dc=jumpcloud,dc=com

• Refer to JumpCloud's documentation for finding the Organization ID: https://jumpcloud.com/support/settings-in-admin-portal#organization-profile
  

Exchange Server: Disabled

Bind Type: Regular

Username: uid=<LDAP_BIND_USERNAME>,ou=Users,o=<YOUR_ORG_ID>,dc=jumpcloud,dc=com

Password: <LDAP_BINDING_USER_PASSWORD>

Secure Connection: Enabled

Protocol: LDAPS (recommended) or STARTTLS

Certificate: Enabled, select 'Go_Daddy_Root_Certificate_Authority_-_G2' (see note below)

Server identity check: Enabled

Note regarding Certificate:

In v7.4.4 and later, it is required to enable verification of the LDAPS server's certificate. This involves selecting the CA certificate that signed LDAPS server's certificate so that it can be verified (see also: Technical Tip: LDAPS connections no longer work after update to v7.4.4).

The certificate used for JumpCloud's LDAPS server is currently signed by the GoDaddy Class 2 Certification Authority Root Certificate - G2, though it is recommended to check JumpCloud's documentation to verify this: https://jumpcloud.com/support/connect-to-ldap-with-tls-ssl

Sample Configuration in the GUI:

Sample Configuration in the CLI:

config user ldap

edit <Server_Name>

set server ldap.jumpcloud.com

set cnid uid

set dn ou=Users,o=Organization ID,dc=jumpcloud,dc=com
set type regular
set username uid=<LDAP_BIND_USERNAME>,ou=Users,o=<YOUR_ORG_ID>,dc=jumpcloud,dc=com
set password LDAP_BINDING_USER_PASSWORD
set group-member-check group-object
set group-object-filter '(&(objectClass=groupOfNames) (cn=*))'

set secure ldaps

set ca-cert "Go_Daddy_Root_Certificate_Authority_-_G2"

set port 636

set password-expiry-warning enable
set password-renewal enable

next

end

cnid is set to uid instead of the typical cn or sAMAccountName. UID is an LDAP account attribute that stores a username.

Note regarding LDAP Group Matching:

The highlighted text (2 CLI commands) must be configured to match the group matching when using LDAP user/user groups for VPN. When verifying the user on LDAP using the ‘Test User Credentials’ button, it will work without these 2 commands. These 2 attributes can only be configured using CLI.

Group member checking methods can be assigned using the following CLI command:

FortiGate (Jumpcloud_LDAP) # set group-member-check
user-attr     User attribute checking.
group-object     Group object checking.
posix-group-object     POSIX group object checking.

Filter used for group searching can be assigned using the following CLI command:

Fortigate (Jumpcloud_LDAP) # set group-object-filter
filter    used for group searching. Here are some examples:
(&(objectcategory=group)(member=*))
(&(objectclass=groupofnames)(member=*))
(&(objectclass=groupofuniquenames)(uniquemember=*))
(&(objectclass=posixgroup)(memberuid=*))
(&(objectclass=posixgroup)(memberuid=%s))

Note regarding JumpCloud Multi-Factor Authentication (MFA)

If MFA is in use, consider the following:

There is no easy solution to support MFA when connecting to WPA_Enterprise SSID. The push time will be 5 seconds. This timer cannot be changed.

For a wired Ethernet connection, it is possible to change the push timer with the remoteauthtimeout value:

config system global

set remoteauthtimeout <1-300, default = 5 seconds>