How-To authenticate users for a Fortinet IPSEC VPN to an Active Directory Server with LDAP

This how-to will explain how to use LDAP authentication to Microsoft Active Directory with an IPSEC VPN to a Fortinet device.

I’ve tested it with a Fortigate 60B and a Fortigate 100A with success.
This post assume you have a fully function VPN IPSEC configuration on your fortinet device with authentication based on a Fortigate group.

Connect to your device with SSH (or as you prefer, even with the web browser), and login as “admin”.

From the console insert the following :

config user ldap

edit "GroupName"

set server "my.adserver.ip.address"

set cnid "sAMAccountName"

set dn "ou=xxx,dc=yyyy,dc=zzzz"

set type regular

set username "domain\\Administrator"

set password ENC *******************************************

next

end

Where :
- “GroupName” will be a lable of the Auth Group
- cnid will be the common name identifier, with this syntax you check the AD login name
- dn will be your LDAP tree path to reach the Organization Unit on which your users are
- type regular will be the authentication type
- username will be an account who can read your AD ldap tree (you should, and it will be better, use an account different than Administrator).
- password will be the password of tha account above

Then edit your local group with the following command

config user group

locate your VPN group and add the LDAP group created before.

Test it with a Fortinet VPN Client (http://www.fortinet.com/products/forticlient/)

Hope this help

Bye
Riccardo

 

출처 : http://www.riccardoriva.com/archives/886