This is a technical article for IT/Network system administrators. (A blog is only good if the author himself will come back and read his own blog. I am posting this as a note I may look up later).

The problem

Most articles and online documentation will help you get your Fortinet/Fortigate firewall hooked up to a Windows AD controller and do centralized user authentication via LDAP or RADIUS. Of course you should do centralized user authentication instead of local user database in any large enterprise, so that you have a single place to administer your users. When an employee quits, you can disable that user in one place, and that user loses access to the entire network at once. But what if you have Linux servers in your enterprise and don’t want to use Windows AD controller for centralized authentication? The solution is LDAP  authentication against IPA server for Linux.

Prerequisites in this example

I assume you have installed and configured IPA (comes with Red Hat Linux for free) or FreeIPA (you can compile and install it yourself from source). And that you have configured the IPA server in this example 10.11.12.13 using the service account “fortigate-bind” which has the permission to query your LDAP catalogue for users. I will not cover the installation and configuration of IPA server here, only the Fortigate vs IPA integration. Everything is done in command-line.

The solution

Configure LDAP server object on Fortigate.

config user ldap
    edit "ipaserver01"
        set server "10.11.12.13"
        set cnid "uid"
        set dn "cn=accounts,dc=example,dc=com"
        set type regular
        set username "uid=fortigate-bind,cn=users,cn=accounts,dc=example,dc=com"
        set password ENC (encrypted password string...)
    next
end

Configure group to be used in the SSL VPN portal on fortigate.

config user group
    edit "ipa-users"
        set sslvpn-portal "IPA-AUTH-LOCAL"
            set member "ipaserver01"             
    next
end

Configure firewall Policy on fortigate.

Actually this step will vary heavily on what rights your authenticated users will actually have. Just use this for example, but consider the complex identity-based policy will map to the authenticated LDAP user, which will again later be configured to map to a LDAP group.

config firewall policy
    edit 1
        set srcintf "port3"
        set dstintf "External"
            set srcaddr "all"
            set dstaddr "all"
        set action accept
        set utm-status enable
        set identity-based enable
        set nat enable
            config identity-based-policy
                edit 1
                    set schedule "always"
                    set logtraffic enable
                        set groups "ipa-users"
                        set service "ANY"
                next
            end
    next
end

Test authentication on fortigate.

You should test the authentication. Depending on the user rights on the IPA server you may get a different reply.

Fortigate (root) # diagnose test authserver ldap ipaserver01 testuser abc1234 
' authenticate 'testuser' against 'ipaserver01' succeeded!
' Group membership(s) - cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com
' cn=LinuxOperators,cn=roles,cn=accounts,dc=example,dc=com
' cn=fortigate-sslvpn-users,cn=groups,cn=accounts,dc=example,dc=com

Secure authentication by restricting to group membership on fortigate.

Up to this point, all IPA users can log in via SSL-VPN. You need to configure a way to restrict SSL-VPN access to a group membership. Use the information learned in the previous step.

The old way to do it, add in red

config user ldap
        edit "ipaserver01"
                set group "cn=fortigate-sslvpn-users,cn=groups,cn=accounts,dc=example,dc=com"
        end
end

The new way to do it, configure the existing group, add new (in red).

config user group
    edit "ipa-users"
        set sslvpn-portal "IPA-AUTH-LOCAL"
            set member "ipaserver01"             
            config match
                edit 1
                    set server-name "ipaserver01"
                    set group-name "cn=fortigate-sslvpn-users,cn=groups,cn=accounts,dc=example,dc=com"
                next
            end
    next
end

and you are all good to go.