The Fortigate SSL is an amazing feature, but when users do not log in that often to any internal resources their AD password may expire and the user will not know. What really stinks is if that user has to post data for the month, and logs in at midnight for an 8 a.m. deadline! Luckily Fortigate has the ability to push the LDAP password expiration notification to the user, and can even let them change the password through SSL VPN login.
Steps:
– Get SSL VPN up and going with LDAP Authentication – This has to be an LDAPS connection to change the password, and your account to query LDAP has to be a domain admin!!!
– In CLI modify the LDAP server to allow password expiration notification, and change.
First create or modify your LDAP server in the GUI, and make sure its set to use LDAPS. The image below should be a good guide. Remember, the service account you use to query LDAP does not have to be an admin account, but if you want to change passwords then it does have to be a Domain-Admin. A good idea is to always create a service account to use for the Fortinet to query LDAP. That way if your admin password changes it will not affect this this account.
After that is configured, and tests/querys successfully then lets drop down to CLI and get the following configured.
Config user ldap
edit “Server name”
set password-expiry-warning enable
set password-renewal enable
end
For a look at all the options see picture below:
And that’s it, after this LDAP will push those messages to the client when they log in.
Remember, that the LDAP connection has to use SSL (LDAPS) to change the password.
In 6.4 this works great with Radius authentication. Make sure you are using MSCHAPV2, on the FGT. PEAP should be the outer layer authentication (setting on the NPS or radius server).
Ya…..Can anyone help with setting up the LDAPS on the server side? I’m guessing there is a cert involved. Not sure if this is an AD cert that needs to get created and imported into the Fortigate or what??
Hey Jeff, thanks for the comment!
You can do either. I have found that you do not have to select a cert and it will still work. I will write up and entry on using the cert between FGT and LDAP server, but like I said, if you select no cert in the LDAPS config on the FGT it will work.
Reblogged this on oogenhand.
Does this work with Radius?
Yes. You can use LDAP or radius without an issue.
Its been a while, but yes in 5.4.4 you have the option to change this through radius – works great. Cli option under the server
In 6.4 this works great with Radius authentication. Make sure you are using MSCHAPV2, on the FGT. PEAP should be the outer layer authentication (setting on the NPS or radius server).
HI, do you not need to import a certificate for this to work?
Ya…..Can anyone help with setting up the LDAPS on the server side? I’m guessing there is a cert involved. Not sure if this is an AD cert that needs to get created and imported into the Fortigate or what??
Hey Jeff, thanks for the comment!
You can do either. I have found that you do not have to select a cert and it will still work. I will write up and entry on using the cert between FGT and LDAP server, but like I said, if you select no cert in the LDAPS config on the FGT it will work.