Fortinet white logo
Fortinet white logo

Administration Guide

FortiGate authentication configuration

FortiGate authentication configuration

You must configure several components on the FortiGate to perform authentication:

Component

Description

LDAP server

The LDAP server configuration defines the connection to the Active Directory (AD) server. It also defines the subject alternate name (SAN) field in the client certificate that should be used for matching. This can be one of the following:

  • Othername – “Other name” in the SAN field
  • rfc822name – RFC822 email address in the SAN field
  • dnsname – DNS name in the SAN field

You can define the LDAP search filter to look up and match the preferred field on the LDAP server. By default, the (userPrincipalName=%s) filter filters on the UPN field during LDAP lookup. If looking up the name is desired, change the first portion of the filter to (name=%s).

See Using the SAN field for LDAP-integrated certificate authentication.

PKI user

A PKI user defines one or many users that are matched using client certificate. Matching against many users uses the LDAP-integrated authentication method.

See Configuring a PKI user.

User group

A user group must have the LDAP server and PKI user objects defined.

Optionally, select a group name to match a computer that is memberOf the LDAP group.

To configure the LDAP server:
  1. In FortiOS, go to User & Authentication > LDAP Servers.
  2. Click Create.
  3. Configure the LDAP server as follows:

    Field

    Value/configuration

    Name

    LDAP-fortiad-Machine

    Server IP/Name

    10.88.0.1

    Common Name Identifier

    sAMAccountName

    Distinguished Name

    dc=fortiad,dc=info

    Bind Type

    Regular

    Username

    fortiad\Administrator

    Password

    <password>

    Secure Connection

    Enable. This is recommended.

    Protocol

    LDAPS

    Certificate

    FortiAD.Info. This is the certificate authority (CA) certificate imported from the CA.

    Server identity check

    Enable if supported.

  4. Click OK.
  5. To define the SAN-related settings, configure the bolded settings in the CLI:
    config user ldap
        edit "LDAP-fortiad-Machine"
            set server "10.88.0.1"
            set server-identity-check enable
            set cnid "sAMAccountName"
            set dn "dc=fortiad,dc=info"
            set type regular
            set username "fortiad\\Administrator"
            set password ENC <password>
            set secure ldaps
            set ca-cert "FortiAD.Info"
            set port 636
            set account-key-upn-san dnsname
            set account-key-filter "(&(userPrincipalName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"
        next
    end

    To filter on the SAN field UPN and match the name field during LDAP lookup, configure the following settings instead:

    config user ldap
        edit "LDAP-fortiad-Machine"
            set account-key-processing strip
            set account-key-upn-san othername
            set account-key-filter "(&(name=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"
        next
    end
    

The setting set account-key-processing strip allows the FortiGate to strip the domain portion of the othername before using it in the LDAP lookup.

To configure the PKI user:

You must configure the first PKI user from the CLI before it appears in the GUI. You must select the FortiAD.Info CA certificate to verify the chain of trust.

config user peer

edit "PKI-LDAP-Machine"

set ca "FortiAD.Info"

set ldap-server "LDAP-fortiad-Machine"

set ldap-mode principal-name

next

end

To configure the user group:
  1. Do one of the following:
    1. To configure the user group in the GUI, do the following:
      1. From User & Authentication > User Groups, click Create New.
      2. Set Name to PKI-Machine-Group.
      3. Set Type to Firewall.
      4. Set Members to the PKI user PKI-LDAP-Machine.
      5. Under Remote Groups, click Add.
      6. Select the Remote Server LDAP-fortiad-Machine.
      7. From the tree, optionally select a group used for matching. Once selected, right-click the entry and click Add Selected.
      8. Click OK to save.
      9. Click OK again to save the user group object.
    2. To configure the user group in the CLI, run the following commands:
      config user group
          edit "PKI-Machine-Group"
              set member "LDAP-fortiad-Machine" "PKI-LDAP-Machine"
              config match
                  edit 1
                      set server-name "LDAP-fortiad-Machine"
                      set group-name "CN=VPNComputers,CN=Users,DC=fortiad,DC=info"
                  next
              end
          next
      end

FortiGate authentication configuration

FortiGate authentication configuration

You must configure several components on the FortiGate to perform authentication:

Component

Description

LDAP server

The LDAP server configuration defines the connection to the Active Directory (AD) server. It also defines the subject alternate name (SAN) field in the client certificate that should be used for matching. This can be one of the following:

  • Othername – “Other name” in the SAN field
  • rfc822name – RFC822 email address in the SAN field
  • dnsname – DNS name in the SAN field

You can define the LDAP search filter to look up and match the preferred field on the LDAP server. By default, the (userPrincipalName=%s) filter filters on the UPN field during LDAP lookup. If looking up the name is desired, change the first portion of the filter to (name=%s).

See Using the SAN field for LDAP-integrated certificate authentication.

PKI user

A PKI user defines one or many users that are matched using client certificate. Matching against many users uses the LDAP-integrated authentication method.

See Configuring a PKI user.

User group

A user group must have the LDAP server and PKI user objects defined.

Optionally, select a group name to match a computer that is memberOf the LDAP group.

To configure the LDAP server:
  1. In FortiOS, go to User & Authentication > LDAP Servers.
  2. Click Create.
  3. Configure the LDAP server as follows:

    Field

    Value/configuration

    Name

    LDAP-fortiad-Machine

    Server IP/Name

    10.88.0.1

    Common Name Identifier

    sAMAccountName

    Distinguished Name

    dc=fortiad,dc=info

    Bind Type

    Regular

    Username

    fortiad\Administrator

    Password

    <password>

    Secure Connection

    Enable. This is recommended.

    Protocol

    LDAPS

    Certificate

    FortiAD.Info. This is the certificate authority (CA) certificate imported from the CA.

    Server identity check

    Enable if supported.

  4. Click OK.
  5. To define the SAN-related settings, configure the bolded settings in the CLI:
    config user ldap
        edit "LDAP-fortiad-Machine"
            set server "10.88.0.1"
            set server-identity-check enable
            set cnid "sAMAccountName"
            set dn "dc=fortiad,dc=info"
            set type regular
            set username "fortiad\\Administrator"
            set password ENC <password>
            set secure ldaps
            set ca-cert "FortiAD.Info"
            set port 636
            set account-key-upn-san dnsname
            set account-key-filter "(&(userPrincipalName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"
        next
    end

    To filter on the SAN field UPN and match the name field during LDAP lookup, configure the following settings instead:

    config user ldap
        edit "LDAP-fortiad-Machine"
            set account-key-processing strip
            set account-key-upn-san othername
            set account-key-filter "(&(name=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"
        next
    end
    

The setting set account-key-processing strip allows the FortiGate to strip the domain portion of the othername before using it in the LDAP lookup.

To configure the PKI user:

You must configure the first PKI user from the CLI before it appears in the GUI. You must select the FortiAD.Info CA certificate to verify the chain of trust.

config user peer

edit "PKI-LDAP-Machine"

set ca "FortiAD.Info"

set ldap-server "LDAP-fortiad-Machine"

set ldap-mode principal-name

next

end

To configure the user group:
  1. Do one of the following:
    1. To configure the user group in the GUI, do the following:
      1. From User & Authentication > User Groups, click Create New.
      2. Set Name to PKI-Machine-Group.
      3. Set Type to Firewall.
      4. Set Members to the PKI user PKI-LDAP-Machine.
      5. Under Remote Groups, click Add.
      6. Select the Remote Server LDAP-fortiad-Machine.
      7. From the tree, optionally select a group used for matching. Once selected, right-click the entry and click Add Selected.
      8. Click OK to save.
      9. Click OK again to save the user group object.
    2. To configure the user group in the CLI, run the following commands:
      config user group
          edit "PKI-Machine-Group"
              set member "LDAP-fortiad-Machine" "PKI-LDAP-Machine"
              config match
                  edit 1
                      set server-name "LDAP-fortiad-Machine"
                      set group-name "CN=VPNComputers,CN=Users,DC=fortiad,DC=info"
                  next
              end
          next
      end