LDAP authentication for SSL VPN with FortiAuthenticator

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

This recipe describes how to set up FortiAuthenticator to function as an LDAP server for FortiGate SSL VPN authentication. It involves adding users to FortiAuthenticator, setting up the LDAP server on the FortiAuthenticator, and then configuring the FortiGate to use the FortiAuthenticator as an LDAP server.

1. Creating the User and User Group on FortiAuthenticator

From the FortiAuthenticator GUI, go to Authentication > User Management > Local Users, and select Create New.

Enter a name for the user (in the example, jgarrick), enter and confirm a password, and be sure to disable Allow RADIUS authentication — RADIUS authentication is not required for this recipe.

Set Role as User, and select OK. New options will appear.

Make sure to enable Allow LDAP browsing — the user will not be able to connect to the FortiGate otherwise.

Next, go to Authentication > User Management > User Groups, and add a user group for the FortiGate users. Add the desired users to the group.

2. Creating the LDAP Directory Tree on FortiAuthenticator

Go to Authentication > LDAP Service > Directory Tree, and create a Distinguished Name (DN) (in the example, dc=fortinet,dc=com). A DN is made up of Domain Components (DC).

Both the users and the user group created earlier are the User ID (UID) and the Common Name (CN) in the LDAP Directory Tree.

Create an Organizational Unit (OU), and a Common Name (CN). Under the cn=HeadOffice entry, add UIDs for each user.

If you mouse over one of the users, you will see the full DN of the LDAP server.

Later, you will use jgarrick on the FortiGate to query the LDAP directory tree on FortiAuthenticator, and you will use bwayne credentials to connect to the VPN tunnel.

3. Connecting the FortiGate to the LDAP Server

From the FortiGate GUI, go to User & Device > Authentication > LDAP Servers, and select Create New.

Enter a name for the LDAP Server connection.

Set Server IP/Name as the IP of the FortiAuthenticator, and set the Common Name Identifier as uid.

Set the Distinguished Name as dc=fortinet,dc=com, and set the Bind Type to Regular.

Next, enter the User DN of the LDAP server, and enter the Password.

The User DN is an account that the FortiGate uses to query the LDAP server.

Select Fetch DN to determine a successful connection. If successful, a dropdown menu will appear showing the LDAP Tree, dc=fortinet,dc=com.

4. Creating the LDAP User Group on the FortiGate

Go to User & Device > User > User Groups, and select Create New.

Enter a name for the user group, and under Remote Groups, select Create New.

 

Select LDAPserver under the Remote Server dropdown.

In the new Add Group Match window, select HeadOffice under the Groups tab, and select Add Selected, then click OK.

LDAPserver has been added to the LDAP group.

5. Configuring the SSL VPN

From the FortiGate GUI, go to VPN > SSL > Portals, and edit the full-access portal.

Disable Split Tunneling.

Go to VPN > SSL > Settings.

Under Connection Settings set Listen on Port to 10443.

Under Tunnel Mode Client Settings, select Specify custom IP ranges and set it to SSLVPN_TUNNEL_ADDR1.

Under Authentication/Portal Mapping, select Create New.

Assign the LDAPgroup user group to the full-access portal, and assign All Other Users/Groups to the desired portal.

Select the prompt at the top of the screen to create a new SSL-VPN policy.

Set Source User(s) to the LDAPgroup user group.

Set Outgoing Interface to wan1 and Destination Address to all.

Set Service to ALL and ensure that you enable NAT.

6. Results

From a remote device, access the SSL VPN Web Portal.

Enter valid LDAP credentials (in the example, bwayne).

‘bwayne’ is now successfully logged into the SSL VPN Portal.

From the FortiGate GUI, go to VPN > SSL > Monitor to confirm the connection.

 

Adam Bristow

Adam Bristow

Technical Writer at Fortinet
Adam Bristow is a Technical Writer working for the FortiOS technical documentation team. He has a Honours Bachelor of Arts in English and Minor in Film Studies and a graduate certificate in Technical Writing from Algonquin College. Stay tuned for more FortiOS Cookbook videos!
Adam Bristow
  • Was this helpful?
  • Yes   No
In the example, uid=jgarrick,cn=HeadOffice,ou=techdoc,dc=fortinet,dc=com
If you select Test, it should show that the connection is Successful, however this is a false declaration. Only selecting Fetch DN will determine a successful connection.
  • MAyoub

    Hello;

    Is it possible to use LDAP for VPN SSL users , while Authenticator for FSSO users at the same time ?

    Regards

  • KevinMcKloud

    Hi, once it’s Authenticated and allowed in… how can you then AUTHORIZE **based now on a LDAP Atribute value** that the user can access X IP or resource ??? …

  • Sebastien

    How I Can change password from ssl vpn if I enable password expiration on fortiauthenticator

    • Adam Bristow

      Hi Sebastien! When your password is almost expired you will be automatically notified via email to change it.

      To change your password, go to Authentication > User Management > Local Users, edit the user, and select Change Password next to Password-based authentication.

      If your password has already expired, then your account will become disabled. To re-enable your user, select the user and select Re-enable under the Disabled Users tab.

      • Sebastien

        ok You think is not possible to change it directly on SSL VPN page ?

        • Sebastien

          I have activate this option on Fortigate on ldap:

          set password-expiry-warning enable
          set password-renewal enable

          • Adam Bristow

            Unfortunately it is not possible to change your password directly within the SSL VPN portal. However using those CLI commands will now mean you can change your password on the portal login if your password is expired.

            You will be allowed to login, but only to change your password.

          • sebastien

            I understand but i can not connect to change it, if i only connect to the entreprise network with the SSL Vpn is not passible to change password ?

          • Adam Bristow

            I would recommend contacting your administrator to have your password changed for you.