This is a technical article for IT/Network system administrators. (A blog is only good if the author himself will come back and read his own blog. I am posting this as a note I may look up later).
Most articles and online documentation will help you get your Fortinet/Fortigate firewall hooked up to a Windows AD controller and do centralized user authentication via LDAP or RADIUS. Of course you should do centralized user authentication instead of local user database in any large enterprise, so that you have a single place to administer your users. When an employee quits, you can disable that user in one place, and that user loses access to the entire network at once. But what if you have Linux servers in your enterprise and don’t want to use Windows AD controller for centralized authentication? The solution is LDAP authentication against IPA server for Linux.
Prerequisites in this example
I assume you have installed and configured IPA (comes with Red Hat Linux for free) or FreeIPA (you can compile and install it yourself from source). And that you have configured the IPA server in this example 10.11.12.13 using the service account “fortigate-bind” which has the permission to query your LDAP catalogue for users. I will not cover the installation and configuration of IPA server here, only the Fortigate vs IPA integration. Everything is done in command-line.
Configure LDAP server object on Fortigate.
config user ldap edit "ipaserver01" set server "10.11.12.13" set cnid "uid" set dn "cn=accounts,dc=example,dc=com" set type regular set username "uid=fortigate-bind,cn=users,cn=accounts,dc=example,dc=com" set password ENC (encrypted password string...) next end
Configure group to be used in the SSL VPN portal on fortigate.
config user group edit "ipa-users" set sslvpn-portal "IPA-AUTH-LOCAL" set member "ipaserver01" next end
Configure firewall Policy on fortigate.
Actually this step will vary heavily on what rights your authenticated users will actually have. Just use this for example, but consider the complex identity-based policy will map to the authenticated LDAP user, which will again later be configured to map to a LDAP group.
config firewall policy edit 1 set srcintf "port3" set dstintf "External" set srcaddr "all" set dstaddr "all" set action accept set utm-status enable set identity-based enable set nat enable config identity-based-policy edit 1 set schedule "always" set logtraffic enable set groups "ipa-users" set service "ANY" next end next end
Test authentication on fortigate.
You should test the authentication. Depending on the user rights on the IPA server you may get a different reply.
Fortigate (root) # diagnose test authserver ldap ipaserver01 testuser abc1234 ' authenticate 'testuser' against 'ipaserver01' succeeded! ' Group membership(s) - cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com ' cn=LinuxOperators,cn=roles,cn=accounts,dc=example,dc=com ' cn=fortigate-sslvpn-users,cn=groups,cn=accounts,dc=example,dc=com
Secure authentication by restricting to group membership on fortigate.
Up to this point, all IPA users can log in via SSL-VPN. You need to configure a way to restrict SSL-VPN access to a group membership. Use the information learned in the previous step.
The old way to do it, add in red
config user ldap edit "ipaserver01" set group "cn=fortigate-sslvpn-users,cn=groups,cn=accounts,dc=example,dc=com" end end
The new way to do it, configure the existing group, add new (in red).
config user group edit "ipa-users" set sslvpn-portal "IPA-AUTH-LOCAL" set member "ipaserver01" config match edit 1 set server-name "ipaserver01" set group-name "cn=fortigate-sslvpn-users,cn=groups,cn=accounts,dc=example,dc=com" next end next end
and you are all good to go.