- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- LDAP Web Filtering Authentication
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LDAP Web Filtering Authentication
All, I've setup a 100E with web filtering profiles and connected it to my DC successfully. However when I enable Web filtering and use the groups and users I've created users cannot login. I can login as a local firewall user but not an LDAP user. I've had users try their username, their full name, their username@domain.local, and domain\username. None of the above work. is there something I'm missing here?
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In my opinion- it's easier to do FSSO for web filtering than using captive portal login when it's all your own devices/people. However, you may want to double check your LDAP config under Users - LDAP Servers.
The key fields are the Common Name and Distinguished Name. For most active directories, the best field to use for CN is sAMAccountName (case sensitive) that will map the username to the accountname in AD. So John Smith would typically be jsmith. If you want users to use a different parameter such as their email you need to map to the correct LDAP field. "mail" is typically the email address, "userPrincipalName" is typically the UPN aka user@domain.local.
The DN is where all the user accounts are located in your AD. This is typically "cn=Users,dc=<yourdomain>,dc=<extension>". I use a tool called Softerra LDAP Browser to view the AD hierarchy from a pure LDAP view and it has helped me a lot getting everything in the correct syntax.
Also- you may need to provide a "regular bind" user depending on your AD security settings. That provides a valid authenticated user to do the lookups for the other users. This username will need to be in the LDAP format and have a valid password entered.
CISSP, NSE4
CISSP, NSE4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your response. Currently the Fortigate is in production in an entity that truly needs 24/7 uptime and the client is wanting this added on right now. Please see below the example of an LDAP bind I have setup for a user group called "full time employees" From what I understand SSO would automatically authenticate a user when they logged into their workstation without needing to pass a browser credential check. How would this work with mobile devices or logins not associated to a particular group. For example user A uses a shared machine with a shared account but needs specific policies enacted for that specific user. I'm assuming I would just make that shared account the most strict then the user would have to just "deal" with the restricted access, or is there a credential check available in the browser?
[link]https://imgur.com/a/7nF7szC[/link]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The way FSSO works is that there is an agent on a machine that talks to domain controllers on the firewall's behalf. If you have one or two DCs, the firewall itself can do all the heavy lifting without separate agents. The domain controllers log all user login activity and the IP address it came from. The FSSO agent looks for those logs and assigns a user to an IP address dynamically. The firewall connects to the agent and gets this list of ip/user mappings to apply to rules. If a device on a specific IP doesn't log in to anything then it doesn't get a user assigned to it. There is caching, so when a new user logs in, they might get the policy applied to the previous user for a few minutes. You could set a rule for authenticated users with one policy and then a catch-all rule afterwards with internet access policy for non-authenticated devices or force those users to a login portal.
As far as the bind for the ldap users, try posting the output of "show user ldap", that is more helpful. feel free to strip out anything private. for example- here's one of mine...
config user ldap edit <ldap name> set server <server1> set secondary-server <server2> set tertiary-server <server3> set cnid "sAMAccountName" set dn "cn=users,dc=<domain>,dc=<local>" set type regular set username "CN=<user>,OU=<some OU>,DC=<domain>,DC=<local>" set password enc <password> set secure ldaps set port 636 next
CISSP, NSE4
CISSP, NSE4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for walking me through this. Below is the output of the command you requested:
show user ldap
config user ldap
edit "Server 1"
set server ""
set cnid "cn"
set dn "ou=mybusiness,dc=Domain,dc=local"
set type regular
set username "fortigateldap@domain.local"
set password ENC
next
end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That output is very helpful. A few things...
First- i hope that the set server line actually has something in it because obviously it won't work with out that. Have you used the test function to make sure it successfully connects and binds? The username for the bind can be in a few different formats, so as long as it works you should be ok. I structured mine in the LDAP Distinguished Name format.
The CN you chose is cn. That explains why users are not able to log in with any normal username you expect. Active directory maps the cn field to their full name such as "John Smith". In order to log in, the users will have to type in their full name as a username- including the space. Without making any changes, you can try that in the captive portal login and it should work.
I suggest changing the cn field mapping to be one of the fields I mentioned previously based on whatever username format you use most often.
Also- to make it more highly available, i suggest adding backup servers to the configuration. If a domain controller goes down, you don't want to be completely unable to authenticate people for internet access anymore. You can also set the server name to be simply <domain.local> (for your domain) since that should resolve to whichever domain controller answers first. The example setup I posted has that set as the tertiary server so that if the two closest DCs don't answer it will just poll anyone to get an answer.
Hope this helps.
CISSP, NSE4
CISSP, NSE4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just wanted to check in with you and say that your responses were correct and solved my issue. Changing the CN allowed me to have this work properly. Unfortunately I'll have to re-import every user as the Fortigate does not recognize the change to the usernames. Hopefully the usernames are not case-sensitive because some are capital and others are not. Guess I will figure that part out soon. Thanks, Again
Related Posts
- FSSO authentication fallback with flow-based policy 173 Views
- EMS cloud: Registration attempt by Endpoint... 649 Views
- SSL VPN Settings Client Certificate 257 Views
- API v2 Adding user to a... 304 Views
- MFA for SSL VPN - Cloud... 176 Views
Labels
-
FortiGate
6,491 -
FortiClient
1,295 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiSwitch
331 -
FortiAP
331 -
FortiClient EMS
260 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
104 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
18 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
FortiAuthenticator
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSID
6 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
NAC policy
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.