Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiClient 7.2.1 Administration Guide
    7.2.1
    7.4.1
    7.4.0
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0

    FortiGate authentication configuration

    FortiGate authentication configuration

    You must configure several components on the FortiGate to perform authentication:

    Component

    Description

    LDAP server

    The LDAP server configuration defines the connection to the Active Directory (AD) server. It also defines the subject alternate name (SAN) field in the client certificate that should be used for matching. This can be one of the following:

    • Othername – “Other name” in the SAN field
    • rfc822name – RFC822 email address in the SAN field
    • dnsname – DNS name in the SAN field

    You can define the LDAP search filter to look up and match the preferred field on the LDAP server. By default, the (userPrincipalName=%s) filter filters on the UPN field during LDAP lookup. If looking up the name is desired, change the first portion of the filter to (name=%s).

    See Using the SAN field for LDAP-integrated certificate authentication.

    PKI user

    A PKI user defines one or many users that are matched using client certificate. Matching against many users uses the LDAP-integrated authentication method.

    See Configuring a PKI user.

    User group

    A user group must have the LDAP server and PKI user objects defined.

    Optionally, select a group name to match a computer that is memberOf the LDAP group.
    To configure the LDAP server:
    1. In FortiOS, go to User & Authentication > LDAP Servers.
    2. Click Create.
    3. Configure the LDAP server as follows:

      Field

      Value/configuration

      Name

      LDAP-fortiad-Machine

      Server IP/Name

      10.88.0.1

      Common Name Identifier

      sAMAccountName

      Distinguished Name

      dc=fortiad,dc=info

      Bind Type

      Regular

      Username

      fortiad\Administrator

      Password

      <password>

      Secure Connection

      Enable. This is recommended.

      Protocol

      LDAPS

      Certificate

      FortiAD.Info. This is the certificate authority (CA) certificate imported from the CA.

      Server identity check

      Enable if supported.

    4. Click OK.
    5. To define the SAN-related settings, configure the bolded settings in the CLI: 
      config user ldap
    edit "LDAP-fortiad-Machine"
        set server "10.88.0.1"
        set server-identity-check enable
        set cnid "sAMAccountName"
        set dn "dc=fortiad,dc=info"
        set type regular
        set username "fortiad\\Administrator"
        set password ENC <password>
        set secure ldaps
        set ca-cert "FortiAD.Info"
        set port 636
        set account-key-upn-san dnsname
        set account-key-filter "(&(userPrincipalName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"
    next
end

      To filter on the SAN field UPN and match the name field during LDAP lookup, configure the following settings instead:

      config user ldap
    edit "LDAP-fortiad-Machine"
        set account-key-processing strip
        set account-key-upn-san othername
        set account-key-filter "(&(name=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"
    next
end

    The setting set account-key-processing strip allows the FortiGate to strip the domain portion of the othername before using it in the LDAP lookup.

    To configure the PKI user:

    You must configure the first PKI user from the CLI before it appears in the GUI. You must select the FortiAD.Info CA certificate to verify the chain of trust.

    config user peer

    edit "PKI-LDAP-Machine"

    set ca "FortiAD.Info"

    set ldap-server "LDAP-fortiad-Machine"

    set ldap-mode principal-name

    next

    end

    To configure the user group:
    1. Do one of the following:
      1. To configure the user group in the GUI, do the following:
        1. From User & Authentication > User Groups, click Create New.
        2. Set Name to PKI-Machine-Group.
        3. Set Type to Firewall.
        4. Set Members to the PKI user PKI-LDAP-Machine.
        5. Under Remote Groups, click Add.
        6. Select the Remote Server LDAP-fortiad-Machine.
        7. From the tree, optionally select a group used for matching. Once selected, right-click the entry and click Add Selected.
        8. Click OK to save.
        9. Click OK again to save the user group object.
      2. To configure the user group in the CLI, run the following commands: 
        config user group
    edit "PKI-Machine-Group"
        set member "LDAP-fortiad-Machine" "PKI-LDAP-Machine"
        config match
            edit 1
                set server-name "LDAP-fortiad-Machine"
                set group-name "CN=VPNComputers,CN=Users,DC=fortiad,DC=info"
            next
        end
    next
end
    Previous
    Next

    FortiGate authentication configuration

    FortiGate authentication configuration

    You must configure several components on the FortiGate to perform authentication:

    Component

    Description

    LDAP server

    The LDAP server configuration defines the connection to the Active Directory (AD) server. It also defines the subject alternate name (SAN) field in the client certificate that should be used for matching. This can be one of the following:

    • Othername – “Other name” in the SAN field
    • rfc822name – RFC822 email address in the SAN field
    • dnsname – DNS name in the SAN field

    You can define the LDAP search filter to look up and match the preferred field on the LDAP server. By default, the (userPrincipalName=%s) filter filters on the UPN field during LDAP lookup. If looking up the name is desired, change the first portion of the filter to (name=%s).

    See Using the SAN field for LDAP-integrated certificate authentication.

    PKI user

    A PKI user defines one or many users that are matched using client certificate. Matching against many users uses the LDAP-integrated authentication method.

    See Configuring a PKI user.

    User group

    A user group must have the LDAP server and PKI user objects defined.

    Optionally, select a group name to match a computer that is memberOf the LDAP group.
    To configure the LDAP server:
    1. In FortiOS, go to User & Authentication > LDAP Servers.
    2. Click Create.
    3. Configure the LDAP server as follows:

      Field

      Value/configuration

      Name

      LDAP-fortiad-Machine

      Server IP/Name

      10.88.0.1

      Common Name Identifier

      sAMAccountName

      Distinguished Name

      dc=fortiad,dc=info

      Bind Type

      Regular

      Username

      fortiad\Administrator

      Password

      <password>

      Secure Connection

      Enable. This is recommended.

      Protocol

      LDAPS

      Certificate

      FortiAD.Info. This is the certificate authority (CA) certificate imported from the CA.

      Server identity check

      Enable if supported.

    4. Click OK.
    5. To define the SAN-related settings, configure the bolded settings in the CLI: 
      config user ldap
    edit "LDAP-fortiad-Machine"
        set server "10.88.0.1"
        set server-identity-check enable
        set cnid "sAMAccountName"
        set dn "dc=fortiad,dc=info"
        set type regular
        set username "fortiad\\Administrator"
        set password ENC <password>
        set secure ldaps
        set ca-cert "FortiAD.Info"
        set port 636
        set account-key-upn-san dnsname
        set account-key-filter "(&(userPrincipalName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"
    next
end

      To filter on the SAN field UPN and match the name field during LDAP lookup, configure the following settings instead:

      config user ldap
    edit "LDAP-fortiad-Machine"
        set account-key-processing strip
        set account-key-upn-san othername
        set account-key-filter "(&(name=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"
    next
end

    The setting set account-key-processing strip allows the FortiGate to strip the domain portion of the othername before using it in the LDAP lookup.

    To configure the PKI user:

    You must configure the first PKI user from the CLI before it appears in the GUI. You must select the FortiAD.Info CA certificate to verify the chain of trust.

    config user peer

    edit "PKI-LDAP-Machine"

    set ca "FortiAD.Info"

    set ldap-server "LDAP-fortiad-Machine"

    set ldap-mode principal-name

    next

    end

    To configure the user group:
    1. Do one of the following:
      1. To configure the user group in the GUI, do the following:
        1. From User & Authentication > User Groups, click Create New.
        2. Set Name to PKI-Machine-Group.
        3. Set Type to Firewall.
        4. Set Members to the PKI user PKI-LDAP-Machine.
        5. Under Remote Groups, click Add.
        6. Select the Remote Server LDAP-fortiad-Machine.
        7. From the tree, optionally select a group used for matching. Once selected, right-click the entry and click Add Selected.
        8. Click OK to save.
        9. Click OK again to save the user group object.
      2. To configure the user group in the CLI, run the following commands: 
        config user group
    edit "PKI-Machine-Group"
        set member "LDAP-fortiad-Machine" "PKI-LDAP-Machine"
        config match
            edit 1
                set server-name "LDAP-fortiad-Machine"
                set group-name "CN=VPNComputers,CN=Users,DC=fortiad,DC=info"
            next
        end
    next
end
    Previous
    Next