By Manny Fernandez

April 9, 2019

Configuring LDAP Authentication for Remote Access VPN

The Fortigate platform allows for multiple authentication options for VPNs.  In the past, I used a lot of Cisco ASA and with it, AnyConnect for remote access VPN.  One of the issues I would run into on ASAs was the limited Authentication methods for a single VPN configuration.  Granted, you could create additional Remote Access VPNs and have each use separate authentication methods (e.g. LDAP, RADIUS, Local).  Fortigate allows you to use all of the authentication methods under a single VPN Portal.  It DOES support realms which allow you to manage different versions of the VPN configuration (e.g. split-tunnel enabled on one and split-tunnel disabled on the other).

In this post, I am going to give you a quick tutorial on configuring SSL VPNs to use Active Directory to authenticate users.  Lets get started.

You will need to create a Service Account with Domain Admin access.  Then create a Security Group (preferably something you are not already using for anything else) and give it a descriptive name (e.g. VPN Users)

Creating the LDAP Server Configuration on the Fortigate

Log into the Fortigate and Choose (1) ‘User & Devices’ then (2) ‘LDAP Servers’, then choose (3) ‘Create’.

2019-04-08_22-30-32

Now we will configure the different options:

2019-04-08_22-42-03

  1. Give the LDAP Server a descriptive name
  2. Provide the IP address of FQDN (Ensure the Fortigate can ping it by name)
  3. Server port (usually 389)
  4. Common Name Identifier – I do not use the ‘CN’, I use ‘sAMAccountName’ (and yes, case sensitive)
  5. Distinguished Name – You can use the ‘Browse’ button and select the base level (I usually choose the root).
  6. Provide the username using thee @domainname option.  I have used it with the LDIF format but with the domain name is much easier. (NOTE: You need to select ‘Regular’ to have it show the Username and Password field).
  7. Password – Self explanitory
  8. The choose ‘Test Connectivity’.  This will check that you can log in with the bound username.  To ensure that the user has enough credentials, you the ‘Test User Credentials’ button.

Obtaining the LDIF Name for the bound username

To get the LDIF format for the user, head to the CLI of the DC and run the following command:

dsquery user -samid

You can also do it via the GUI.  Launch ‘Active Directory Users and Computers’ and ensure you go to ‘View’ then choose ‘Advanced Features’.

2019-04-08_22-53-35

Look for the user you want to use in the LDAP configuration and go to the properties of that user.

2019-04-08_22-55-38

Scroll over to the ‘Attribute Editor’ tab, scroll down to the ‘distinguishedName’ section and choose ‘View’

2019-04-08_22-56-19

Copy this section and use that in the Fortigate LDAP user configuration page.

Once you have the LDAP configured and you are getting a successful connection, we will move on to the next section.

Configuring the Group

2019-04-08_23-02-36

Browse over to the (1) ‘Users & Device’ again, this time choosing (2) ‘User Groups’

2019-04-08_23-03-52

Next, we are going to give this group a name (I like to use the ‘AD’ in the beginning so that I can easily tell that it is an Active Directory group, RADIUS would have a ‘RA’ and local accounts would have a ‘LOCAL’ as a prefix.

Choose the ‘Remote Groups’ and NOT ‘Members’.

2019-04-08_23-04-27

From the drop-down list, choose the LDAP server you created in the first steps. You should now be seeing the query results of the LDAP query.  Here you will be able to choose the Group that will be authorized to VPN in.

2019-04-08_23-05-08

Now, you choose the (1) ‘Groups’ Tab, then enter the name or partial name in the (2) search bar and choose the search button.  Once your group comes up in the (3) results, Right click and (4) choose ‘+ Add Selected’ then choose OK.

Configuring the VPN

2019-04-08_23-06-15

Browse over to ‘VPN’, then choose ‘SSL-VPN Settings’

2019-04-08_23-06-39

Under the ‘Authentication/Portal Mapping’ section (close to the bottom of the screen), Select ‘Create New’

2019-04-08_23-06-59.png

From the drop-down, select the newly created User Group from the previous section, the select what Portal they will use.

Here is where I was saying that Fortigate allows for multiple authentication types and even authentication groups to be used in the same portal.

2019-04-08_23-08-04

Now for the Policy.  When you create the policy, as soon as you choose the ‘Incoming Interface’ you will see that the Fortigate will require you to choose an (1) address and a (2) User or User Group.  Ensure that the Group you created earlier is in this list.  You can add multiple users and/or groups to the ‘User’ section.

And there you go.  Hope this helps.

Recent posts

  • If you've spent any time configuring user authentication on... Full Story

  • DNS is one of those technologies that quietly underpins... Full Story

  • BGP issues on FortiGate firewalls usually trace back to... Full Story

  • Every time your laptop talks to your router, a... Full Story

  • If you've spent any time configuring NAT on a... Full Story

  • If you have spent any time configuring firewall policies... Full Story

  • High availability on FortiGate is one of those features... Full Story

  • If you've configured SD-WAN on a FortiGate, you've almost... Full Story

  • FortiLink is the management protocol that turns a FortiSwitch... Full Story

  • FortiSwitches are pretty rock solid from Mean Time Between... Full Story

  • This is a quicky tip.  Have you ever gone... Full Story

  • DNS is one of those quiet pieces of internet... Full Story

  • This article is an updated version of the previous... Full Story

  • You will add ns2 as a secondary (slave) BIND9... Full Story

  • In the process of deploying my lab, I needed... Full Story

  • RFC 8805, used to be known as Self-Correcting IP... Full Story

  • Years back, I wrote an article about certificate pinning. ... Full Story

  • FortiGates have the ability to send alerts to Microsoft... Full Story

  • In this post, I am going to walk through... Full Story

  • Troubleshooting VoIP on a FortiGate can feel like trying... Full Story

  • Prior to FortiOS 7.0, there were three commands to... Full Story

  • In this post, I am going to go over... Full Story

  • What we are going to do:  We are going... Full Story

  • Choosing between FGCP (FortiGate Clustering Protocol) and FGSP (FortiGate... Full Story

  • Creating a VLAN on macOS (The "Pro" Move) A... Full Story

  • This blog post explores the logic behind how macOS... Full Story

  • Pretty Fly for a Wi-Fi Tell My Wi-Fi Love... Full Story

  • Part of my daily gig is creating BoMs (Bill-of-Materials)... Full Story

  • ICMP introduces several security risks, but careful filtering, rate... Full Story

  • The command diag debug application dhcps -1 enables full... Full Story

  • In the world of FortiOS, execute tac report is... Full Story

  • LLDP; What is it The Link Layer Discovery Protocol... Full Story

  • What it actually does When you run diagnose fdsm... Full Story

  • Monkey Bites are bite-sized, high-impact security insights designed for... Full Story

  • I have run macOS in macOS with Parallels but... Full Story

  • Don't be confused with my other FortiNAC posts where... Full Story

  • This is the third session in a multi-part article... Full Story

  • Today I was configuring key-based authentication on a FortiGate... Full Story

  • Netcat, often called the "Swiss Army knife" of networking,... Full Story

  • At its core, IEEE 802.1X is a network layer... Full Story

  • In case you did not see the previous FortiNAC... Full Story

  • This is our 5th session where we are going... Full Story

  • Now that we have Wireshark installed and somewhat configured,... Full Story

  • The Philosophy of Packet Analysis Troubleshooting isn't about looking... Full Story

  • Overview FortiOS 8.0 introduces custom tags as a first-class... Full Story

  • These are two distinct mechanisms on FortiOS, and conflating... Full Story

  • Replacement messages are the pages and text blocks that... Full Story