Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ychia
Staff
Staff

Created on ‎10-19-2021 11:12 PM

Article Id 194046

Technical Tip: Users unable to connect FortiClient after Implement the fix for CVE-2019-5591

Description
This article describes that after applying the fixed for CVE-2019-5591 below, user is unable to login in FortiClient.

# config user ldap
    edit "LDAP"
        set server-identity-check enable
    end

Solution
Procedure to collect the packet capture.

# diag sniffer packet any 'host <LDAPS_IP> and port <LDAPS_port>'' 6 0 l

Tried to connect to SSLVPN with set server-identity-check enabled.
To stop the sniffer, press 'CTRL + C'.

From the PCAP, the LDAPS server certificate in the subject should contains hostname 'ldap.example.com'.

Once the hostname has been identified, change the LDAP server from IP address to FQDN and enable 'server-identity-check', 

# config user ldap
    edit "LDAP"
        set server "Certificate_Hostname"
        set server-identity-check enable
end

NOTE.
Make sure, that the FQDN for the certificate hostname can be resolved by the configured DNS servers.

Labels:
540
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.