Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
joebrug
New Contributor

Authenticate to VPN SSL Portal via AD credentials?

Can you authenticate via an ldap user to the SSL web portal? Using 5.2.2 Forticlient. I just today set up the web portal, so something could definitely be misconfigured there. However, I created an SSL VPN Group, added the Domain Users group to it as a test from AD. Also created a local user called "test" and added it to that group.  I can log in as 'test' but not as any user of AD. 

1 Solution
neonbit
Valued Contributor

When you create your usergroup ensure that you have the ldap server configured under 'Remote groups' and that the correct AD group is selected.

 

You can always test your LDAP configuration and user credentials via the CLI using the diagnose test authserver ldap command.

 

fortigate # diagnose test authserver ldap ad-ldap myusername m4hp@ssw0rd
authenticate 'myusername' against 'ad-ldap' succeeded!
Group membership(s) - CN=sslusers,OU=Groups,DC=domain,DC=com
                                  CN=Domain Users,CN=Users,DC=domain,DC=com

View solution in original post

6 REPLIES 6
neonbit
Valued Contributor

Yes, you can use LDAP groups/users for your SSLVPN logins.

 

First thing I would do is confirm that LDAP is configured correctly.

 

1. Ensure that the common name identifier you have configured maps to the username format you use for the SSL login.

2. When you click on Fetch DN you should be able to browse your LDAP structure

3. Test should show up as successful

 

 

neonbit
Valued Contributor

When you create your usergroup ensure that you have the ldap server configured under 'Remote groups' and that the correct AD group is selected.

 

You can always test your LDAP configuration and user credentials via the CLI using the diagnose test authserver ldap command.

 

fortigate # diagnose test authserver ldap ad-ldap myusername m4hp@ssw0rd
authenticate 'myusername' against 'ad-ldap' succeeded!
Group membership(s) - CN=sslusers,OU=Groups,DC=domain,DC=com
                                  CN=Domain Users,CN=Users,DC=domain,DC=com

joebrug

ah-ha..

using your cli test, I realized that using my username would fail authentication, but if I use my Full Name i.e. "John Doe" ldap allowed me to login. Is that because im using CN as the Common Name Identifier?

 

barthur

How can you have a level of redundancy in the Windows Active Directory Authentication?

 

Under "Remote Groups" can I add a second AD Server and that second server would respond if the first server didn't?

MikePruett
Valued Contributor

Depends on how your environment is laid out.

Mike Pruett Fortinet GURU | Fortinet Training Videos
simple1689
New Contributor

I have mine setup for AD authentication. I am having an issue where adding my Domain Users are getting Permission Denied. However, my AD account, Administrator, all my test AD accounts can authenticate without issue. Doesn't matter what OU they are in. 

 

In any case, here is my setup. 

 

AD > Security Group > "SSL VPN Logins"

AD > New User > fortinet (used for LDAP Bind below). 

 

Fortigate 100d > Authentication > LDAP Servers > Successfully configured my connection using my 'fortinet' user to authenticate. Test connection is successful. 

 

Fortinet 100d > User > User Groups > New, "SSL VPN Sec Group". 

[ul]
  • Under Remote Groups > Create New > Remote Server, my LDAP Server > LDAP Groups, Located my "SSL VPN Logins" AD Group > Selected group and added > OK[/ul]

    Fortinet 100d > VPN > SSL > Settings > Authentication/Portal Mapping > Create New > Added the "SSL VPN Sec Group" for full access

     

    Fortinet 100d > Policy and Objects > Policy > IPv4 > ssl.root - LAN > Added Source: *, Group: Added "SSL VPN Sec Group", Destination: Local LAN, Schedule: Always, Service: All, Accept. 

     

    My issue again is that Domain Administrator, my AD test accounts, my AD account all authenticate without issue. When I add another Domain User (that may already be logged into a Domain Computer somewhere) gets "Permission Denied". I am trying to narrow down when Domain Users receive rights from a Security Group (immediately or when they relogin. If the later, does being logged on an existing computer somewhere stop Security Group permissions being applied)?

  • Labels
    Top Kudoed Authors