Configuring FortiSASE with an LDAP server for remote user authentication in endpoint mode

Configuring remote users over LDAP allows FortiSASE to easily integrate with a Windows Active Directory (AD) server or another LDAP server. This example has a Windows domain controller that has users defined in its AD. You want to allow certain users VPN access over FortiSASE. These users connect using their Windows domain credentials.

The Windows server is protected by a FortiGate that uses a virtual IP address (VIP) to port forward port 10636 to the Windows server. Communication over this VIP is allowed only for the FortiSASE IP address. The example domain is KLHOME.local.

FortiSASE can connect to DNS, RADIUS, or LDAP servers with internal IP addresses or FQDNs if you set Access Type to Private in the RADIUS or LDAP server settings, internal servers are located behind a secure private access (SPA) hub, and the SPA hub in FortiSASE has been configured with BGP per overlay. When the FortiSASE Endpoint Management Service uses LDAP servers with Groups & AD Users for endpoint profile assignments, these servers must use public IP addresses or publicly accessible FQDNs with Access Type set to Public in the LDAP server settings and may require some configuration or topology changes. See Network restrictions removed.

Configuring the LDAP server in FortiSASE

To configure the LDAP server in FortiSASE:

1. Go to Configuration > LDAP.
2. Click Create.
3. Configure the following settings:

   Field	Description
   Name	Connection name.
   Access Type	When set to Private, secure private access (SPA) is used for the LDAP server. Ensure the SPA network is configured.
   Server IP/Name	LDAP server IP address or FQDN.
   Server Port	By default, LDAP uses port 636 and a secure connection. If you are using a custom port, define it here. In this example, it is 10636.
   Common Name Identifier	This is the attribute in which your LDAP server identifies the username. In an AD, this is commonly the common name attribute, which is denoted cn. Alternatively, you can use sAMAccountName. This is case-sensitive. In other LDAP servers, it may be the user ID, which is denoted uid. In an AD, for usernames in the username@domain format, use the user principal name (UPN) attribute, which is denoted userPrincipalName.
   Distinguished Name	Used to look up user account entries on the LDAP server. It reflects the hierarchy of LDAP database object classes above the CN identifier in which you are doing the lookup. If you want to recursively look up all objects under the root domain in the example AD, specify dc=KLHOME,dc=local. If you want to look up users under a specific organization unit, specify ou=VPN-Users,dc=KLHOME,dc=local.
   Secure Connection	Enable to connect to server by LDAPS by default. Using LDAPS is recommended to ensure an encrypted connection. If disabled, communication occurs in clear text.
   Password Renewal	Enable remote password renewal. When the LDAP user's password expires, the user can renew their password when authenticating with FortiSASE. This option is only available if using LDAPS.
   Certificate	Select the CA certificate for your LDAPS connection. If this certificate is not signed by a known CA, you must export the certificate from your server and install this on FortiSASE. To import the certificate, do the following: Click Certificate, then Create. If you have the certificate file, select File. Click Upload. This creates a new remote CA certificate in the FortiSASE certificate store. You can also import and view the certificate in System > Certificates.
   Server Identity Check	If enabled, the server certificate must include the server IP address/name defined in the Server IP/Name field.
   Advanced Group Matching	Enable advanced group matching. Based on your LDAP server, you may need to configure additional properties to ensure that FortiSASE correctly matches LDAP groups.
   Group Member Check	Determines which attributes FortiSASE uses for group matching: Group object POSIX group object User attribute
   Group Filter	Enter the filter to use for group matching. Required when Group Member Check is set to User attribute.
   Group Search Base	Enter the search base to use for group searching. Required when Group Member Check is set to User attribute.
   Member Attribute	Enter the name of the attribute from which FortiSASE retrieves the group membership information.

   The FortiSASE Endpoint Management Service does not support importing LDAP subdomains if you have already imported the LDAP parent domain previously into it.

4. Configure the following Authenticate settings:

   Field	Description
   Bind Type	Select one of the following. Regular bind is recommended: Simple: bind using simple password authentication using the client name. The LDAP server only looks up against the distinguished name (DN), but does not search on the subtree. Anonymous: bind using anonymous user and search starting from the DN and recurse over the subtrees. Many LDAP servers do not allow this. Regular: bind using username/password provided and search starting from the DN and recurse over the subtrees.
   Username	If using regular bind, enter the username. In the example AD, this may be KLHOME\administrator or administrator@KLHOME.
   Password	If using regular bind, enter the password.
   Client Certificate	Enable client certificate for authentication with LDAPS server. Select the client certificate that you previously uploaded to FortiSASE.

5. Click Test connection. If the connection fails, return to the previous steps to reconfigure the LDAP server, or skip the test. If the connection succeeds, click Next.
6. Review the configuration, then click Submit.

Configuring remote users from the LDAP server

To configure remote users from the LDAP server:

1. Do one of the following:
   • To send invitations directly to individual users, do the following:
     1. Go to Configuration > Users.
     2. Click Create.
     3. Select LDAP User, then click Next.
     4. From the LDAP Server dropdown list, select the server that you configured. Click Next.
     5. FortiSASE displays the available remote users. It displays all users starting from the DN root to the subtrees. Select users as desired. Click Next.
     6. Provide the users' email addresses. FortiSASE sends invitation codes and connection instructions to these email addresses.
     7. Click OK.
   • To create and send invitations to a group of users, do the following:
     1. Go to Configuration > Users.
     2. Click Create > User Group.
     3. In the Users field, click +.
     4. In the Select Entries pane, select the desired users to add to this user group.
     5. In the Remote Groups field, select Create.
     6. From the Remote Server dropdown list, select the desired server.
     7. In the Groups field, add the desired groups from the selected server to this user group. Click OK twice.
     8. Go to Dashboards > Status. In the Remote User Management widget, click Onboard Users.
     9. Under Invite Users, enter the email addresses of the users that you want to add to FortiSASE. Click Send. FortiSASE sends invitation emails to these users so that they can download FortiClient and connect to FortiSASE.

Connecting VPN from FortiClient

The end user follows these instructions to connect to the FortiSASE VPN tunnel.

To connect VPN from FortiClient:

1. Follow the instructions from the received email to install the compatible FortiClient version on to your device.
2. Once installed, open FortiClient.
3. On the ZERO TRUST TELEMETRY tab, in the Join FortiClient Cloud field, enter the invitation code from the received email.
4. FortiClient connects to and becomes provisioned by FortiClient Cloud. On the REMOTE ACCESS tab, connect to the preconfigured VPN tunnel using your Windows username and password. If the administrator configured the CN identifier as cn, the username is likely the user's full name. Once connected, the REMOTE ACCESS tab displays the active VPN connection and additional information.