Below are instructions on how to configure a Fortnet FortiGate to use Foxpass for LDAP authentication on the remote SSL VPN using the graphical user interface (GUI). Fortinet's general instructions can be found here.
Note: Fortinet FortiGate Currently Requires a Configuration Change
Configuring your FortiGate to work with Foxpass currently requires a configuration change on our backend to enable a special setting for your company. This settings sends specific directory information to FortiGate that most LDAP clients don't require. To enable this setting, please reach out to us at [email protected] or in the Intercom chat in the bottom right.
First, create an LDAP Binder account with the name 'fortigate' (or something else easily identifiable) on the LDAP binders page. Copy/paste the generated password! It is only displayed once.
First, we'll enable FortiGate to use Foxpass as an authentication source for all users into the firewall.
In the FortiGate interface, go to User & Device > Authentication > LDAP Servers and select Create New.
Enter the following values, inserting your own information where marked by the double arrows:
Name: ≪Foxpass-LDAP≫ Server Name/IP: ldap.foxpass.com Server Port: 636 Common Name Identifier: uid Distinguished Name: dc=≪example≫,dc=≪com≫ Bind Type: Regular User DN: cn=≪binder name≫,dc=≪example≫,dc=≪com≫ Password: ≪binder password≫ Secure Connection: checked Protocol: LDAPS
Next, we'll configure a specific Foxpass group to give users of that group admin permissions in FortiGate.
Add a user group in FortiGate and associate a Foxpass LDAP group with it. Go to User & Device > User > User Groups, and create an LDAP user group. This group will allow you to designate a specific Foxpass group as Firewall admins. Name the group something easy to remember like "FirewallAdmin." Enter the following values, inserting your own information where marked by the double arrows:
Member: ≪Foxpass-LDAP≫ Configuration: match Server Name: ≪Foxpass-LDAP≫ Group Name: cn=≪Foxpass LDAP group≫,ou=groups,dc=≪example≫,dc=≪com≫
You may need to right click the group to select it when saving the configuration.
After that, give this group firewall admin access. Go to the Admin section of the System configuration and enter the values below:
Remote-Auth: Enable trusthost1: x.y.x.x/255.255.255.255 trusthost2: x.x.y.x/255.255.255.255 trusthost3: x.x.x.y/255.255.255.255 accprofile: prof_admin vdom: root wildcard: enable remote-group: ≪FirewallAdmin≫
As a final, we recommend setting the timeout for remote authentication to 60 seconds to account for any network delays. Change this setting in the Global section of the System configuration.
Updated about 3 years ago