Skip to content
Tech Shizz Logo

An Engineers Blog

  • TechShizz
  • blog

Setup Guide for Fortigate SSLVPN with LDAP Authentication and 2FA

Posted on February 23, 2021 By rich No Comments on Setup Guide for Fortigate SSLVPN with LDAP Authentication and 2FA

Pre-requisites

  • You need your SSL VPN portal and settings configured already
  • You should also have already created your SSL VPN policy (allowing from the SSL VPN interface to your LAN)
  • The above requires you to add a user or group already, you can re-use that group for the items below if desired

Set up LDAP Server

I’m using Active Directory, but you can use any LDAP based directory service. The example below assumes your AD domain is domain.local.

  1. Navigate to User & Device > LDAP Server
  2. Add a new server and enter the settings:
    • Name: this is the friendly name, i usually just put the hostname in
    • Server IP: obvious
    • Server Port: leave this default unless you know what you’re doing
    • Common Name Identifier: This defaults to CN, which means Common Name. This is dumb. Your users are not going to log in as “Bob Smith”, they’re going to log in as bsmith or [email protected] Set this to userprincipalname if you want them to use their UPN ([email protected]) or maybe samaccountname if you want them to just use their username.
    • Distinguished Name: You can’t use the Browse button until you fill out the rest of this page, but this can just be DC=domain,DC=local. Note: if you choose to scope this further than the domain as listed, your group (in the next section) must be in scope.
    • Bind Type: Regular
    • Username/Password: You can start off with a domain admin for testing, but ultimately you should create an unprivileged service account to use here
    • Secure Connection/Protocol: I used secure and selected LDAPS. If you don’t have LDAPS then don’t use it.
    • At this point you should be able to Test Connectivity and get a success.

Set up your group

  1. In Active Directory, create a group and add users to it. I called mine SSL VPN Users
  2. In the Fortigate, navigate to User & Device > User Groups
  3. Click on Create New
  4. Name the group the same as you created in AD (this isn’t important, just a friendly name)
  5. Select Firewall as the type
  6. Under the Remote Groups section, click Add, select your LDAP server, and then search/select your group.
  7. Important: You have to right click on it and select Add Selected. After that, hit OK, not before.
  8. Hit OK again to save the group
  9. Configure your SSL VPN firewall policy to use this group for authentication

Testing

At this point you should be done, because you already set up your SSL VPN, right? You should be able to log in as the user now, you can go to Log & Report > VPN Events to see what the error is if you’re not able to log in. You can also use the command diag test authserver ldap “YOUR LDAP SERVER NAME” [email protected] yourpassword to do a direct test.

Post navigation

Next Post: List all SMTP Addresses for all Mailboxes or Distribution Groups in Exchange ❯

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors

Subscribe to our newsletter!

Recent Posts

  • How to implement a lightning-fast ransomware playbook
  • How to achieve defence in depth in your business
  • How to implement a SecOps team phishing response plan
  • How to block an Office 365 Sign-in correctly
  • Microsoft finally patched serious Exchange 0-day over a month old!

Recent Comments

    Archives

    • November 2022
    • July 2021
    • March 2021
    • February 2021

    Categories

    • Cyber Security
    • Uncategorized

    Meta

    • Log in
    • Entries feed
    • Comments feed
    • WordPress.org

    Copyright © 2023 .

    Theme: Oceanly News Dark by ScriptsTown