Technical Tip: IKEv2 dial up VPN with LDAP authentication
| Description | This article describes the configuration required for IPsec dial-up on FortiClient to work with LDAP users. |
| Scope | FortiClient, FortiGate. |
| Solution | IKEv2, in contrast to IKEv1, uses EAP for authentication. When hash-based EAP-MSCHAPv2 (default for FortiClient) or EAP-PEAP (with inner EAP-MSCHAPv2) method is used by the client, FortiGate cannot perform a regular LDAP bindRequest (which requires plaintext password). Instead, the FortiGate attempts to retrieve any of the following 5 attributes for the user:
These attributes allow the FortiGate to validate EAP-MSCHAPv2 or EAP-PEAP authentication attempts. Note that the most popular LDAP implementations (such as Microsoft's Active Directory) by default refuse to provide such information, thus rendering LDAP-based authentication impossible when EAP-MSCHAPv2 or EAP-PEAP are utilized.
Starting from FortiClient v7.4.3 and onward, EAP-TTLS authentication is supported with IKEv2 and can be used with LDAP authentication: EAP-TTLS support for IPsec VPN 7.4.3.
Note that a FortiClient EMS subscription is also required to enable the EAP method in the XML config of the IPsec tunnel on FortiClient EMS.
The required EAP method can also be enabled by taking a configuration backup of the VPN-only unlicensed FortiClient, editing it, and restoring it as outlined here: Technical Tip: How to enable EAP-TTLS for IPSec IKEv2 tunnels in VPN-only (unlicensed) FortiClient.
Example of LDAP search request for these attributes:
The user needs to have one of these attributes to be allowed to authenticate. Here is an example of Active Directory.
Note: In this field, set the password on the system base selected; this is the value that LDAP uses to authenticate the user:
When editing the userPassword attribute, one of four value formats must be selected: Hexadecimal, Binary, Decimal, or Octal. For the text 'Fortinet12', the corresponding hexadecimal value is 46 6F 72 74 69 6E 65 74 31 32. To perform the conversion, any online conversion tool can be used.
Note: If using MFA, deploy FortiClient v7.4.4 or later versions. For more details, follow the compatibility matrix chart below: Technical Tip: Overview of compatible IKE versions user, user authentication methods, and FortiGate/FortiClient firmware versions.
LDAP-based user authentication is designed to work with XAUTH and IPsec IKEv1. Due to the removal of IKEv1 support in FortiClient version 7.4.4, EAP-TTLS can be used with IKEv2 authentication for LDAP authentication: EAP-TTLS support for IPsec VPN.
In earlier versions of FortiClient, EAP-MSCHAPv2 was used for username/password authentication and did not work with LDAP. EAP-TTLS now supports LDAP authentication.
In the case FortiClient is not connecting and and represent error of 'IKE message other than DPD retransmits to maximum' after authentication has been done, check whether on the EMS profile site has <enable_ike_fragmentation> set to 1.
If not, modify the XML file of this option to 1, as by default, fragmentation is enabled on FortiGate settings under phase1, to let IKEv2 connect successfully. This option needs to be aligned on both the client and server sites.
See the screenshot below for reference:
Troubleshooting.
The following debugs are useful when troubleshooting issues with the configuration above.
diagnose debug application ike -1 diagnose debug application fnbamd -1 diagnose debug application eap_proxy -1
To stop debug:
diagnose debug disable diagnose debug reset
Related articles: Technical Tip: IKEv2 tunnel fails when LDAP based usergroup is used for EAP Technical Tip: Multi-Factor Authentication support for Windows Troubleshooting Tip: Dialup IPsec VPN with FortiToken fails to connect |
