Hot!Issue with SSL-VPN + Certificate + LDAP

Author
JuddTracy
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/04/09 10:37:41
  • Status: offline
2019/04/09 11:42:31 (permalink) 5.6
0

Issue with SSL-VPN + Certificate + LDAP

I have a LDAP connection setup with a Domain Controller on the network and have setup a LDAP User that when added to the VPN Users (local firewall) group  can authenticate with the SSL-VPN.  I have also created a PKI User, with their subject and CA Cert specified and added to the VPN Users (local firewall) group that can authenticate with the SSL-VPN.
 
When I change the PKI user to specify the ldap-server and ldap-mode it will ask for the certificate, prompt for username and password but fail to authenticate with the server.
 
Debugging the authentication I can see on the fortigate that it tries to verify the account but does not fill in the samaccountname
[584] fnbamd_ldap_build_dn_search_req-base:'dc=<correct>,dc=<correct>,dc=<correct>' filter:samaccountname=
I also ran a packet capture of the ldap between the firewall and the AD server and it shows the same issue about the filter having a NULL value for samaccountname.
 
I am trying to figure out what I haven't configured correctly, any help would be appreciated.
 
config user ldap
edit "Domain Controller"
set server "<DC IP>"
set secondary-server ''
set tertiary-server ''
set source-ip 0.0.0.0
set cnid "userPrincipalName"
set dn "dc=<correct>,dc=<correct>,dc=<correct>"
set type regular
set username "CN=Fortigate Service Account,CN=Managed Service Accounts,DC=<correct>,DC=<correct>,DC=<correct>"
set password <password>
set group-member-check user-attr
set group-search-base ''
set group-filter ''
set secure disable
set port 389
set password-expiry-warning disable
set password-renewal disable
set member-attr "memberOf"
set account-key-processing same
set account-key-name "userPrincipalName"
next
end
 
config user peer
edit "testuser"
set mandatory-ca-verify enable
set ca "CA_Cert_2"
set subject "testuser"
set cn ''
set cn-type string
set ldap-server "Domain Controller"
set ldap-username ''
set ldap-password <password, did not explicitly set one>
set ldap-mode password
set ocsp-override-server ''
set two-factor disable
next
end
 
 
Hardware: FortiWifi 90D
Firmware: v5.6.7 build1653 (GA)
#1

1 Reply Related Threads

    dan5481
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/09/30 12:06:08
    • Status: offline
    Re: Issue with SSL-VPN + Certificate + LDAP 2019/09/30 12:08:59 (permalink)
    0
    Hi Judd,
     
    I use this style of configuration and have the below line in the ldap configuration:
     
            set cnid "sAMAccountName"
     
    Under the user group the pki user and ldap are both referenced and this works as expected.
     
    Dan
    #2
    Jump to:
    © 2019 APG vNext Commercial Version 5.5