Description | This article describes the basic configuration steps required to integrate JumpCloud as an LDAP authentication server for the FortiGate. |
Scope | FortiGate, LDAP |
Solution |
Before starting on the FortiGate, ensure that a user on the JumpCloud side has been enabled as an LDAP Bind DN (any valid Jumpcloud user may be used for this role). The FortiGate will use this account to authenticate itself to JumpCloud before it can authenticate other users via LDAP. Refer to the following external documentation for configuring JumpCloud as a cloud LDAP server: https://jumpcloud.com/support/use-cloud-ldap
Once an LDAP Binding user has been set on the JumpCloud side, the FortiGate can be configured for LDAP. Navigate to User & Authentication -> LDAP Servers, create a new entry and populate it with the following information:
Name: JumpCloud_LDAP (or any appropriate name) Server IP/Name: ldap.jumpcloud.com Server Port: 636 or 389
Common Name Identifier: uid
Distinguished Name: ou=Users,o=<YOUR_ORG_ID>,dc=jumpcloud,dc=com
Exchange Server: Disabled Bind Type: Regular Username: uid=<LDAP_BIND_USERNAME>,ou=Users,o=<YOUR_ORG_ID>,dc=jumpcloud,dc=com Password: <LDAP_BINDING_USER_PASSWORD> Secure Connection: Enabled Protocol: LDAPS (recommended) or STARTTLS Certificate: Enabled, select 'Go_Daddy_Root_Certificate_Authority_-_G2' (see note below) Server identity check: Enabled
Note regarding Certificate: In v7.4.4 and later, it is required to enable verification of the LDAPS server's certificate. This involves selecting the CA certificate that signed LDAPS server's certificate so that it can be verified (see also: Technical Tip: LDAPS connections no longer work after update to v7.4.4).
The certificate used for JumpCloud's LDAPS server is currently signed by the GoDaddy Class 2 Certification Authority Root Certificate - G2, though it is recommended to check JumpCloud's documentation to verify this: https://jumpcloud.com/support/connect-to-ldap-with-tls-ssl
Sample Configuration in the GUI:
Sample Configuration in the CLI:
config user ldap edit <Server_Name> set server ldap.jumpcloud.com set cnid uid set dn ou=Users,o=Organization ID,dc=jumpcloud,dc=com set secure ldaps set ca-cert "Go_Daddy_Root_Certificate_Authority_-_G2" set port 636 set password-expiry-warning enable next end
cnid is set to uid instead of the typical cn or sAMAccountName. UID is an LDAP account attribute that stores a username.
Note regarding LDAP Group Matching: The highlighted text (2 CLI commands) must be configured to match the group matching when using LDAP user/user groups for VPN. When verifying the user on LDAP using the ‘Test User Credentials’ button, it will work without these 2 commands. These 2 attributes can only be configured using CLI.
Group member checking methods can be assigned using the following CLI command:
FortiGate (Jumpcloud_LDAP) # set group-member-check Filter used for group searching can be assigned using the following CLI command:
Fortigate (Jumpcloud_LDAP) # set group-object-filter
Note regarding JumpCloud Multi-Factor Authentication (MFA) If MFA is in use, consider the following:
There is no easy solution to support MFA when connecting to WPA_Enterprise SSID. The push time will be 5 seconds. This timer cannot be changed. For a wired Ethernet connection, it is possible to change the push timer with the remoteauthtimeout value:
config system global set remoteauthtimeout <1-300, default = 5 seconds> |