Authentication servers

Leave a reply

Configuring LDAP group settings

A user group that will use LDAP must be configured. This example adds the member ldap to the group which is the LDAP server name that was configured earlier.

 

To configure LDAP group settings – CLI:

config user group edit “ldap_grp”

set member “ldap” config match

edit 1

set server-name “ldap” set group-name “TRUE”

next end

end

Once these settings are in place, users can authenticate.

 

Troubleshooting LDAP

The examples in this section use the values from the previous example.

 

LDAP user test

A quick way to see if the LDAP configuration is correct is to run a diagnose CLI command with LDAP user information. The following command tests with a user called netAdmin and a password of fortinet. If the configuration is correct the test will be successful.

FGT# diag test authserver ldap ldap_server netAdmin fortinet

‘ldap_server’ is not a valid ldap server name — an LDAP server by that name has not been configured on the FortiGate unit, check your spelling.

authenticate ‘netAdmin’ against ‘ldap_server’ failed! — the user netAdmin does not exist on ldap_server, check your spelling of both the user and sever and ensure the user has been configured on the FortiGate unit.

 

LDAP authentication debugging

For a more in-depth test, you can use a diag debug command. The sample output from a shows more information about the authentication process that may prove useful if there are any problems.

Ensure the “Allow Dial-in” attribute is still set to “TRUE” and run the following CLI command. fnbamd is the Fortinet non-blocking authentication daemon.

FGT# diag debug enable

FGT# diag debug reset

FGT# diag debug application fnbamd –1

FGT# diag debug enable

The output will look similar to:

get_member_of_groups-Get the memberOf groups. get_member_of_groups- attr=’msNPAllowDialin’, found 1 values get_member_of_groups-val[0]=’TRUE’

fnbamd_ldap_get_result-Auth accepted fnbamd_ldap_get_result-Going to DONE state res=0 fnbamd_auth_poll_ldap-Result for ldap svr 192.168.201.3 is SUCCESS fnbamd_auth_poll_ldap-Passed group matching If the “Allow Dial-in” attribute is not set but it is expected, the last line of the above output will instead be:

fnbamd_auth_poll_ldap-Failed group matching

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
This entry was posted in FortiOS 5.4 Handbook on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.