Helpful ReplyHot!Authenticate to VPN SSL Portal via AD credentials?

Author
joebrug
New Member
  • Total Posts : 15
  • Scores: 2
  • Reward points: 0
  • Joined: 2015/01/08 17:06:04
  • Status: offline
2015/01/15 17:20:53 (permalink)
0

Authenticate to VPN SSL Portal via AD credentials?

Can you authenticate via an ldap user to the SSL web portal? Using 5.2.2 Forticlient. I just today set up the web portal, so something could definitely be misconfigured there. However, I created an SSL VPN Group, added the Domain Users group to it as a test from AD. Also created a local user called "test" and added it to that group.  I can log in as 'test' but not as any user of AD. 
#1
neonbit
Gold Member
  • Total Posts : 356
  • Scores: 22
  • Reward points: 0
  • Joined: 2013/07/02 21:39:52
  • Location: Dark side of the moon
  • Status: offline
Re: Authenticate to VPN SSL Portal via AD credentials? 2015/01/15 22:51:49 (permalink)
5 (1)
Yes, you can use LDAP groups/users for your SSLVPN logins.
 
First thing I would do is confirm that LDAP is configured correctly.
 
1. Ensure that the common name identifier you have configured maps to the username format you use for the SSL login.
2. When you click on Fetch DN you should be able to browse your LDAP structure
3. Test should show up as successful
 
 
post edited by neonbit - 2015/01/15 22:59:32

Attached Image(s)

#2
neonbit
Gold Member
  • Total Posts : 356
  • Scores: 22
  • Reward points: 0
  • Joined: 2013/07/02 21:39:52
  • Location: Dark side of the moon
  • Status: offline
Re: Authenticate to VPN SSL Portal via AD credentials? 2015/01/15 22:58:03 (permalink) ☄ Helpfulby westekim 2015/06/22 03:03:23
0
When you create your usergroup ensure that you have the ldap server configured under 'Remote groups' and that the correct AD group is selected.
 
You can always test your LDAP configuration and user credentials via the CLI using the diagnose test authserver ldap command.
 
fortigate # diagnose test authserver ldap ad-ldap myusername m4hp@ssw0rd
authenticate 'myusername' against 'ad-ldap' succeeded!
Group membership(s) - CN=sslusers,OU=Groups,DC=domain,DC=com
                                  CN=Domain Users,CN=Users,DC=domain,DC=com

#3
joebrug
New Member
  • Total Posts : 15
  • Scores: 2
  • Reward points: 0
  • Joined: 2015/01/08 17:06:04
  • Status: offline
Re: Authenticate to VPN SSL Portal via AD credentials? 2015/01/16 11:31:28 (permalink)
0
ah-ha..
using your cli test, I realized that using my username would fail authentication, but if I use my Full Name i.e. "John Doe" ldap allowed me to login. Is that because im using CN as the Common Name Identifier?
 
#4
barthur
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/08/25 10:18:16
  • Status: offline
Re: Authenticate to VPN SSL Portal via AD credentials? 2017/03/03 12:32:09 (permalink)
0
How can you have a level of redundancy in the Windows Active Directory Authentication?
 
Under "Remote Groups" can I add a second AD Server and that second server would respond if the first server didn't?
#5
MikePruett
Platinum Member
  • Total Posts : 581
  • Scores: 8
  • Reward points: 0
  • Joined: 2014/01/08 19:39:40
  • Location: Montgomery, Al
  • Status: offline
Re: Authenticate to VPN SSL Portal via AD credentials? 2017/03/03 14:31:52 (permalink)
0
Depends on how your environment is laid out.

Mike Pruett
Fortinet GURU
#6
simple1689
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/03/22 15:39:45
  • Status: offline
Re: Authenticate to VPN SSL Portal via AD credentials? 2017/03/23 10:55:53 (permalink)
0
I have mine setup for AD authentication. I am having an issue where adding my Domain Users are getting Permission Denied. However, my AD account, Administrator, all my test AD accounts can authenticate without issue. Doesn't matter what OU they are in. 
 
In any case, here is my setup. 
 
AD > Security Group > "SSL VPN Logins"
AD > New User > fortinet (used for LDAP Bind below). 
 
Fortigate 100d > Authentication > LDAP Servers > Successfully configured my connection using my 'fortinet' user to authenticate. Test connection is successful. 
 
Fortinet 100d > User > User Groups > New, "SSL VPN Sec Group". 
  • Under Remote Groups > Create New > Remote Server, my LDAP Server > LDAP Groups, Located my "SSL VPN Logins" AD Group > Selected group and added > OK
Fortinet 100d > VPN > SSL > Settings > Authentication/Portal Mapping > Create New > Added the "SSL VPN Sec Group" for full access
 
Fortinet 100d > Policy and Objects > Policy > IPv4 > ssl.root - LAN > Added Source: *, Group: Added "SSL VPN Sec Group", Destination: Local LAN, Schedule: Always, Service: All, Accept. 
 
My issue again is that Domain Administrator, my AD test accounts, my AD account all authenticate without issue. When I add another Domain User (that may already be logged into a Domain Computer somewhere) gets "Permission Denied". I am trying to narrow down when Domain Users receive rights from a Security Group (immediately or when they relogin. If the later, does being logged on an existing computer somewhere stop Security Group permissions being applied)?
#7
Jump to:
© 2017 APG vNext Commercial Version 5.5