Steps to configure FortiGate SSL VPN Authentication with AD (Active Directory)
- Create a LDAP Server in FortiGate
- AD Server = 192.168.1.200
- cnid = sAMAccountName”
config user ldap
edit "UAT-AD01"
set server "192.168.1.200"
set cnid "sAMAccountName""
set dn "dc=uat,dc=aventislab,dc=com"
set type regular
set username "uat\\administrator"
set password P@ssw0rd
end
- Verify the LDAP connection is established successfully with “diagnose test authserver ldap UAT-AD01 uat1 P@ssw0rd“
FG60E # diagnose test authserver ldap UAT-AD01 administrator P@ssw0rd!@#$
authenticate 'uat1' against 'UAT-AD01' succeeded!
Group membership(s) - CN=MyO365,OU=O365,DC=uat,DC=aventislab,DC=com
CN=Domain Users,CN=Users,DC=uat,DC=aventislab,DC=com
- Create a local Fortigate Single Sign On (SSO)
config user fsso
edit "Local FSSO Agent"
set server "127.0.0.1"
next
end
- Configure FSSO Polling from AD Server
config user fsso-polling
edit 1
set server "192.168.1.200"
set user "uat\\administrator"
set password P@ssw0rd
set ldap-server "UAT-AD01"
next
end
- Create a new Group in FortiGate for MyO365 AD Group
config user group
edit "LDAP-Users"
set member "UAT-AD01"
config match
edit 1
set server-name "UAT-AD01"
set group-name "CN=MyO365,OU=O365,DC=uat,DC=aventislab,DC=com"
end
- Update the Firewall Policy for SSL VPN to include “set groups “LDAP-Users” to allow only members of MyO365 to login
config firewall policy
edit 20
set name "SSLVPN_Internal"
set uuid cd9e6c5c-de7a-51e8-9c01-08e536f6d644
set srcintf "ssl.root"
set dstintf "internal"
set srcaddr "all"
set dstaddr "PROD_LAN"
set action accept
set schedule "always"
set service "ALL"
set groups "LDAP-Users"
next
end
- Users who are members of MyO365 AD Group are allow to login to SSL VPN now.
- Other users will get the pop up message below if they try to login