Explorer III

Solved

Dial-Up VPN with TOTPRadius Authentication – Does It Work?

Forum|Forum|1 year ago
February 20, 2025
7 replies
7091 views

Hey everyone,

I recently attempted to set up Dial-Up VPN authentication using TOTPRadius in combination with an LDAP server and TOTP (Time-Based One-Time Password). TOTPRadius acts as a Proxy-RADIUS server and integrates LDAP authentication with TOTP for two-factor authentication.

The setup process was based on the information provided by Token2's guide, which primarily explains how to configure TOTPRadius for admin login but does not explicitly mention VPN authentication. The Test Authentication worked, but when in combination with VPN it doesn't.

The Problem:

When trying to authenticate a Dial-Up VPN client using FortiGate and TOTPRadius, the authentication fails with the following error message from the TOTPRadius Server shown in Wireshark:

Initial login not allowed; Empty password provided for user <blank-user>; Terminating process with Reject message

This suggests that the FortiGate did not transmit the user’s password when performing VPN RADIUS authentication.

Best answer by MG4

IKEv2 does not allow for PAP authentication by design...

I wish I had done my research before this post, but as the above says, IKEv2 does not allow for PAP authentication. Since TOTPRadius uses PAP as a Proxy-RADIUS to simply cut the password part and the TOTP part, for the authentication. Which means you either use IKEv1 (which has been deemed depreacted and unsafe since 2019 from the IETF https://datatracker.ietf.org/doc/rfc9395/ ) or just don't.

AEK

SuperUser

Hi MG4

On your FGT > RADIUS server config, does "Test user credentials" work successfully?

AEK

MG4Author

Explorer III

Yeah, it worked perfectly.

sw2090

SuperUser

hm we do IPSec dialup with a FortiAuthenticator as radius server.

All we did was set up FAC as radius server and set up groups and users there.

Then deploy the radius server to the FortiGates and also deploy the neccessary radius groups.

Then create the ipsec dialup and set xauth to use the radius group.

TOTP i this case is completely handled by the Authenticator.

AEK

SuperUser

Hi MG4

Can you share your phase1 config?

Also try debug with the below (try use filter for ike):

diag debug app fnbamd -1
diag debug app ike -1
diag debug enable

AEK

MG4Author

Explorer III

Hi AEK,

Here is the phase1 config:
FG-100F (FC-LDAP-AUTH) # get
name : FC-LDAP-AUTH
type : dynamic
interface : ppp0
ip-version : 4
ike-version : 2
local-gw : 0.0.0.0
keylife : 86400
authmethod : psk
authmethod-remote :
peertype : any
monitor-min : 0
net-device : disable
exchange-interface-ip: disable
aggregate-member : disable
packet-redistribution: disable
mode-cfg : enable
ipv4-dns-server1 : 172.16.2.20
ipv4-dns-server2 : 0.0.0.0
ipv4-dns-server3 : 0.0.0.0
internal-domain-list:
ipv4-wins-server1 : 0.0.0.0
ipv4-wins-server2 : 0.0.0.0
ipv6-dns-server1 : ::
ipv6-dns-server2 : ::
ipv6-dns-server3 : ::
proposal : aes256-sha256 aes256-sha384
add-route : enable
localid :
localid-type : auto
negotiate-timeout : 30
fragmentation : enable
ip-fragmentation : post-encapsulation
dpd : on-demand
comments : VPN: FC-LDAP-AUTH
npu-offload : enable
dhgrp : 15
suite-b : disable
eap : enable
eap-identity : send-request
acct-verify : disable
ppk : disable
wizard-type : custom
reauth : disable
authusrgrp : VPN-Local-Group
idle-timeout : disable
ha-sync-esp-seqno : enable
fgsp-sync : disable
inbound-dscp-copy : disable
auto-discovery-sender: disable
auto-discovery-receiver: disable
auto-discovery-forwarder: disable
encapsulation : none
nattraversal : enable
fragmentation-mtu : 1200
childless-ike : disable
azure-ad-autoconnect: disable
client-resume : disable
rekey : enable
enforce-unique-id : disable
fec-egress : disable
fec-ingress : disable
network-overlay : disable
dev-id-notification : disable
link-cost : 0
kms :
exchange-fgt-device-id: disable
ems-sn-check : disable
qkd : disable
transport : udp
remote-gw-match : any
default-gw : 0.0.0.0
default-gw-priority : 0
assign-ip : enable
assign-ip-from : name
ipv4-netmask : 255.255.255.0
dns-mode : manual
ipv4-split-include : FC-LDAP-AUTH_split
split-include-service:
ipv4-name : FC-LDAP-AUTH_range
ipv6-prefix : 128
ipv6-split-include :
ipv6-name :
ip-delay-interval : 0
ipv4-split-exclude :
save-password : enable
client-auto-negotiate: disable
client-keep-alive : disable
psksecret : *
keepalive : 10
distance : 15
priority : 1
dpd-retrycount : 3
dpd-retryinterval : 20

And here is the log:
diagnose vpn ike log filter clear
diagnose vpn ike log filter rem-addr4 172.16.10.166
diag debug app fnbamd 255
diag debug app ike -1
diag debug enable
ike V=root:0: comes 172.16.10.166:500-><WAN-IP>:500,ifindex=23,vrf=0,len=601....
ike V=root:0: IKEv2 exchange=SA_INIT id=d264b77317af4890/0000000000000000 len=601
ike 0: in D264B77317AF489000000000000000002120220800000000000002592200005C0200002C010100040300000C0100000C800E01000300000802000005030000080300000C000000080400000F00000
02C020100040300000C0100000C800E01000300000802000006030000080300000D000000080400000F28000188000F0000E63DD5849D4A36212FA996D46310AA07CED1235591D17AED94C220836A64BF436C66
48C20D111776F4F9101C26BC457EC8C3A858BEAF4DF4D5C7302864DD6B1CF894FCC5343410372411DF9158724E4A71D36EE283F869BF2E2A28F21A59FC3B3110FAD29DF54FF468B58B76CB03CF2D9B016CE5449
8CC115933A82E000A3560CE4357E3604C6680CD9DB2A45B5C5A1F2C56B5DF61EA3359A47FE10A364263FBD27C63A5BEC9CDF2A426AF01A5ADF00783896DE8C81F4CACBBDE9D2715DD60A018EF5C393F0763726D
285796FAAD9C946B3AC9A49E55CFFD735C0531403B002A873ED5FAE12CF1F49A38F8074181948C2A7FC801E61FFA14FBE5AD71F9900242E9B26667124DBB2F4915BA61089BB87384E09E111AD9EFAE601A726C7
16916AEA5273E4A643BA75FC2BF9480B15AC38B73CDF3B18FADE29E9546CF725BC71943A4C368359064E29E3B217F31532433955AFA8F0934EA61F6EBBBB7EB2B9353AE28507824BE7850822027AADA6736E139
905CCCE69EBF4FEA06C57FF54BA85B0D2B0000149E4EA79B448C675830940C341E4570302B000014<FC-License>2B000014<VID Fortinet Endpoint Control>29000014C1DC435
0476B98A429B91781914CA43E000000090000F05000
ike V=root:0:d264b77317af4890/0000000000000000:338565: responder received SA_INIT msg
ike V=root:0:d264b77317af4890/0000000000000000:338565: VID forticlient connect license <FC-License>
ike V=root:0:d264b77317af4890/0000000000000000:338565: VID Fortinet Endpoint Control <VID Fortinet Endpoint Control>
ike V=root:0:d264b77317af4890/0000000000000000:338565: VID Forticlient EAP Extension C1DC4350476B98A429B91781914CA43E
ike V=root:0:d264b77317af4890/0000000000000000:338565: received notify type VPN_NETWORK_ID
ike V=root:0:d264b77317af4890/0000000000000000:338565: NETWORK ID : 0
ike V=root:0:d264b77317af4890/0000000000000000:338565: incoming proposal:
ike V=root:0:d264b77317af4890/0000000000000000:338565: proposal id = 1:
ike V=root:0:d264b77317af4890/0000000000000000:338565:   protocol = IKEv2:
ike V=root:0:d264b77317af4890/0000000000000000:338565:      encapsulation = IKEv2/none
ike V=root:0:d264b77317af4890/0000000000000000:338565:         type=ENCR, val=AES_CBC (key_len = 256)
ike V=root:0:d264b77317af4890/0000000000000000:338565:         type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike V=root:0:d264b77317af4890/0000000000000000:338565:         type=PRF, val=PRF_HMAC_SHA2_256
ike V=root:0:d264b77317af4890/0000000000000000:338565:         type=DH_GROUP, val=MODP3072.
ike V=root:0:d264b77317af4890/0000000000000000:338565: proposal id = 2:
ike V=root:0:d264b77317af4890/0000000000000000:338565:   protocol = IKEv2:
ike V=root:0:d264b77317af4890/0000000000000000:338565:      encapsulation = IKEv2/none
ike V=root:0:d264b77317af4890/0000000000000000:338565:         type=ENCR, val=AES_CBC (key_len = 256)
ike V=root:0:d264b77317af4890/0000000000000000:338565:         type=INTEGR, val=AUTH_HMAC_SHA2_384_192
ike V=root:0:d264b77317af4890/0000000000000000:338565:         type=PRF, val=PRF_HMAC_SHA2_384
ike V=root:0:d264b77317af4890/0000000000000000:338565:         type=DH_GROUP, val=MODP3072.
ike V=root:0:d264b77317af4890/0000000000000000:338565: matched proposal id 1
ike V=root:0:d264b77317af4890/0000000000000000:338565: proposal id = 1:
ike V=root:0:d264b77317af4890/0000000000000000:338565:   protocol = IKEv2:
ike V=root:0:d264b77317af4890/0000000000000000:338565:      encapsulation = IKEv2/none
ike V=root:0:d264b77317af4890/0000000000000000:338565:         type=ENCR, val=AES_CBC (key_len = 256)
ike V=root:0:d264b77317af4890/0000000000000000:338565:         type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike V=root:0:d264b77317af4890/0000000000000000:338565:         type=PRF, val=PRF_HMAC_SHA2_256
ike V=root:0:d264b77317af4890/0000000000000000:338565:         type=DH_GROUP, val=MODP3072.
ike V=root:0:d264b77317af4890/0000000000000000:338565: lifetime=86400
ike V=root:0:d264b77317af4890/0000000000000000:338565: SA proposal chosen, matched gateway VPN2-PSK
ike V=root:0:01K06-PSK:01K06-PSK: created connection: 0xafc7690 23 <WAN-IP>->172.16.10.166:500.
ike V=root:0:01K06-PSK:338565: FEC vendor ID received FEC but IP not set
ike 0:01K06-PSK:338565: FCT EAP 2FA extension vendor ID received
ike V=root:0:01K06-PSK:338565: responder preparing SA_INIT msg
ike V=root:0:01K06-PSK:338565: generate DH public value request queued
ike V=root:0:01K06-PSK:338565: responder preparing SA_INIT msg
ike V=root:0:01K06-PSK:338565: compute DH shared secret request queued
ike V=root:0:01K06-PSK:338565: responder preparing SA_INIT msg
ike V=root:0:01K06-PSK:338565: create NAT-D hash local <WAN-IP>/500 remote 172.16.10.166/500
ike 0:01K06-PSK:338565: out D264B77317AF4890717371AE441C596B212022200000000000000220220000300000002C010100040300000C0100000C800E01000300000802000005030000080300000C000
000080400000F28000188000F000059401F357E510BBE38BC9500967BADD7482027D3025C07261A7EC649B4F3CD8D120697A844BEE1532AF06FE28B3CF220820F552BCB4D60188DF3C08CC5BB7B67F579995EBF
9E46197D738997980417B587CF9A8212724F9BE02354B6D3DEE153E2C5CD7913794F582427F8282485D72E268270AE145593241CED12C491F01953D1842C09D6614BA302A6E783E700B44260068F69C54033F22
5FFC7E2A94D7C35313D76E3C5366639CE6E701C5F87BC01DB755AA4EA53B3D4BC9258EC5C69F9133876772762DEBB05CF9DF012A97ABEB363B38307922D1B151578AFC62B25A80F979603229AE8504AF2E4FD83
88EE9E70C080580737E0CEC19AC510DD12D03C53BC7ECE35B47E39E6F2B4096846396437D89D2FD0C30C086D9CE4AE158C8B8322B1B1B099182D8FD67457E6C9AF9404F76E82C5913869A0F80AF665DECA66F3D
E4A506D75984FF82264D5CF5D9FA2A86222800B7AC8A01561CC60B399FB843DFC05EE3EF5D3DA7BB1A47C37886B95A4EB5D084A57D8FF0404349CE8979848C2E7290000146336DE9BDE5990DF46FC42B3315C96
302900001C000040044AF6B7403C3968D587A29954C3EF0C83634F49E20000001C00004005D049DBA949FAA3E396829AEA2B526859296CE051
ike V=root:0:01K06-PSK:338565: sent IKE msg (SA_INIT_RESPONSE): <WAN-IP>:500->172.16.10.166:500, len=544, vrf=0, id=d264b77317af4890/717371ae441c596b, oif=23
ike 0:01K06-PSK:338565: IKE SA d264b77317af4890/717371ae441c596b SK_ei 32:89B134FD50499BA0A49EDFC835E83F727A782C1EE0A956910B135F53C25FC89E
ike 0:01K06-PSK:338565: IKE SA d264b77317af4890/717371ae441c596b SK_er 32:B182EA174B1AB1FCE6BE791897C0C0E68FC0DC805EAB91CEB2C620F15217D5BC
ike 0:01K06-PSK:338565: IKE SA d264b77317af4890/717371ae441c596b SK_ai 32:78334DD9DB293531B64A8417160F5062DB7AD7D71BA8A3500CB8328F134EB716
ike 0:01K06-PSK:338565: IKE SA d264b77317af4890/717371ae441c596b SK_ar 32:FEDF3262669931DA1EF9F3F3B9C269A85CD788951730C629A500488A0181DE31
ike V=root:0: comes 172.16.10.166:500-><WAN-IP>:500,ifindex=23,vrf=0,len=672....
ike V=root:0: IKEv2 exchange=AUTH id=d264b77317af4890/717371ae441c596b:00000001 len=672
ike 0: in D264B77317AF4890717371AE441C596B2E20230800000001000002A023000284F68B9619439A3FE5871C488F60B2433D1AEA9E2E7C0FD00DB4D7C77D23E02F4F7CDC2F93D0C71608B6F1FF08C593E
80DA46331F5EB10C6D5B6BF5F09B56AB8EFD32655AFFF202C0F80AAB28CEE791093347ABF0C95FF30ADB48F22E4F1F7D5CB4DA9E740E4EF99E2F4C0FB230FFC66AC9E1EBDDA89D52B388ACB8420A961EE6840FB
F9EC7E2C9E11922B321B6CD5243DADEA8AA2BCE6C63CCDA4D65A601E7D249FA84059C8D1A38C1CF8B8D10C96923BF2C8EFBEFFFBE3E9367058F8F8BF7B2D987043183B145F99F39456D0D23C11E43131D6BE60F
05C7F3CB21F3CB2E8ABC3C8009CC7790EBD0CECFCBE3BD6B76FC3DA76FC18E015237232B526CE65ED1E126C0A05BDFD9E846990C67744A3ED8D7907CAF5D5E6CB5D4EC669929380DB0B9A170C22BDF9560D8D60
1A64A867053E0B5A61C466E022B114CB48C4DB1173764C984436D9FEF0DDDCFEEE4662BE427BF84FA714DAB2CC88DE88159B9BE52FF77A35ED21D776DEF455935306C3DAC319C237DF91706E70934169023C760
3DC344BD3B2F13535DF2E4BF7B92F965AC4FE5742B275AE9D7483DECDEFBBC2731ED9B3EA9D84E7C07CFAA5FDCD7E82FF020BDC708648E4F16D630BF10E16DCCB0562BC81BCA4FC3D162CDADB65212007C5C9F8
5F989FFAD38297F13859B3312E6AC16BFB1348AC56B61DDC79ED236C51DE02C7F4A2C10CAC5A07C8026EDC3A861CC5720B8A695BB7EDFAEA3DBC50EC5E25DD591BD453C042723BCFC5132A25D4AF522CE563134
6643276AC7ED716B04496F293F68B09999498967E6070D41187B6CA3C012A62516B77B02F2A6D2022F8142BE19B40D9CDF3F95AE0DCD090EA8437907490BE559C33E1E250BF5D94AF7A518A1085DFA89FAF5574
402869218F9CC049B4
ike 0:01K06-PSK:338565: dec D264B77317AF4890717371AE441C596B2E2023080000000100000276230000042900000C01000000AC100AA629000008000040002F0001620000F1005645523D310A4643545
645523D372E342E322E313733370A5549443D42353437333746454532374234303743384141313045384530353141393131330A49503D3139322E3136382E3234352E310A4D41433D30302D32622D36372D3530
2D32632D30633B63302D62382D38332D30632D36352D62313B63302D62382D38332D30632D36352D62323B63322D62382D38332D30632D36352D62313B39302D62342D38632D35372D35362D35393B0A484F535
43D4E422D3032310A555345523D737570706F727432310A4F535645523D4D6963726F736F66742057696E646F77732031312050726F66657373696F6E616C2045646974696F6E2C2036342D6269742028627569
6C64203236313030290A5245475F5354415455533D300A454D53534E3D464354454D53383832343030323230360A454D5349443D303030303030303030303030303030303030303030303030303030303030303
00A002100005C01000000000700104643543830303137363539373235393000010000000200000003000000040000000D00000019000000080000000F0000000A0000000B000070010000540A0000540B000070
00000070060000001900002C0000540200002801030403DC66EBF40300000C0100000C800E0100030000080300000C00000008050000000000002802030403DC66EBF40300000C0100000C800E0100030000080
300000D00000008050000002D00001801000000070000100000FFFF00000000FFFFFFFF0000001801000000070000100000FFFF00000000FFFFFFFF
ike V=root:0:01K06-PSK:338565: responder received AUTH msg
ike V=root:0:01K06-PSK:338565: processing notify type INITIAL_CONTACT
ike V=root:0:01K06-PSK:338565: processing notify type FORTICLIENT_CONNECT
ike V=root:0:01K06-PSK:338565: received FCT data len = 346, data = 'VER=1
FCTVER=7.4.2.1737
UID=<UID>
IP=192.168.245.1
MAC=<MAC>
HOST=NB-021
USER=MG4
OSVER=Microsoft Windows 11 Professional Edition, 64-bit (build 26100)
REG_STATUS=0
EMSSN=<EMS-SN>
EMSID=00000000000000000000000000000000
'
ike V=root:0:01K06-PSK:338565: received FCT-UID :<FCT-UID>
ike V=root:0:01K06-PSK:338565: received EMS SN : <EMS-SN>
ike V=root:0:01K06-PSK:338565: received EMS tenant ID : 00000000000000000000000000000000
ike V=root:0:01K06-PSK:338565: peer identifier IPV4_ADDR 172.16.10.166
ike V=root:0:01K06-PSK:338565: re-validate gw ID
ike V=root:0:01K06-PSK: change phase1 profile to FC-LDAP-AUTH
ike V=root:0:FC-LDAP-AUTH:338565: gw validation OK
ike V=root:0:FC-LDAP-AUTH:338565: responder preparing EAP identity request
ike 0:FC-LDAP-AUTH:338565: enc 2700000C01000000D43CE97130000028020000003AF99A176AE7DA893120C04EC75BAF7328E450866CE3CEB5048AE560A45B553300000009019D000501020102
ike 0:FC-LDAP-AUTH:338565: out D264B77317AF4890717371AE441C596B2E2023200000000100000080240000649F2CB5D1EFA4FA1A118F897F0B4AFE517DB24607642C3924F756D3AA4325AEE2953BDE86
347023A104B2DEDBD30FF4AD3D8E150985F75D0BA50D6022561C997BBD2006716F9FC8493F4EA85E5F480A06D10C1F604A8BFFCE98B550D630E35EE5
ike V=root:0:FC-LDAP-AUTH:338565: sent IKE msg (AUTH_RESPONSE): <WAN-IP>:500->172.16.10.166:500, len=128, vrf=0, id=d264b77317af4890/717371ae441c596b:00000001, o
if=23
ike V=root:0: comes 172.16.10.166:500-><WAN-IP>:500,ifindex=23,vrf=0,len=96....
ike V=root:0: IKEv2 exchange=AUTH id=d264b77317af4890/717371ae441c596b:00000002 len=96
ike 0: in D264B77317AF4890717371AE441C596B2E202308000000020000006030000044C5C6EDC787485C36181630447BFB640CCA1E81B827BEFC9AFCDF1EE757CF94C25FFFD2F5E172A195B178CD38BECBF
8CED9A1B831417C1DFBA05AE43203BA9BE3
ike 0:FC-LDAP-AUTH:338565: dec D264B77317AF4890717371AE441C596B2E20230800000002000000323000000400000012029D000E01737570706F72743231
ike V=root:0:FC-LDAP-AUTH:338565: responder received EAP msg
ike V=root:0:FC-LDAP-AUTH:338565: send EAP message to FNBAM
ike V=root:0:FC-LDAP-AUTH:338565: initiating EAP authentication
ike V=root:0:FC-LDAP-AUTH: EAP user "MG4"
ike V=root:0:FC-LDAP-AUTH: EAP 1000760094741 pending
[1757] handle_req-Rcvd auth req 1000760094741 for MG4 in VPN-Local-Group opt=00000000 prot=7 svc=9
[333] __compose_group_list_from_req-Group 'VPN-Local-Group', type 1
[508] create_auth_session-Session created for req id 1000760094741
[590] fnbamd_cfg_get_tac_plus_list-
[545] __fnbamd_cfg_get_tac_plus_list_by_group-
[557] __fnbamd_cfg_get_tac_plus_list_by_group-Group 'VPN-Local-Group'
[606] fnbamd_cfg_get_tac_plus_list-Total tac+ servers to try: 0
[840] fnbamd_cfg_get_ldap_list-
[756] __fnbamd_cfg_get_ldap_list_by_group-
[856] fnbamd_cfg_get_ldap_list-Total LDAP servers to try: 0
[416] ldap_start-Didn't find ldap servers
[316] radius_start-eap_local=0
[896] fnbamd_cfg_get_radius_list-
[844] __fnbamd_cfg_get_radius_list_by_group-
[858] __fnbamd_cfg_get_radius_list_by_group-Group 'VPN-Local-Group'
[376] verify_local_user_match_and_update-Found a matching user in CMDB 'MG4'
[456] fnbamd_rad_get-vfid=0, name='TOTPRadius'
[805] __rad_auth_ctx_insert-Loaded RADIUS server 'TOTPRadius'
[877] __fnbamd_cfg_get_radius_list_by_group-Loaded RADIUS server 'TOTPRadius' for user 'MG4' in usergroup 'VPN-Local-Group' (14)
[918] fnbamd_cfg_get_radius_list-Total rad servers to try: 1
[936] fnbamd_rad_get_auth_server-
[1172] fnbamd_rad_auth_ctx_init-User ha_relay? 0.
[295] fnbamd_radius_get_next_auth_prot-Next auth prot EAP
[1107] __auth_ctx_svr_push-Added addr 172.16.10.231:1812 from rad 'TOTPRadius'
[930] __fnbamd_rad_get_next_addr-Next available address of rad 'TOTPRadius': 172.16.10.231:1812.
[1125] __auth_ctx_start-Connection starts TOTPRadius:172.16.10.231, addr 172.16.10.231:1812 proto: UDP
[280] __rad_udp_open-Opened radius socket 10, sa_family 2
[945] __rad_conn_start-Socket 10 is created for rad 'TOTPRadius'.
[807] __rad_add_job_timer-
[439] fnbamd_cfg_get_pop3_list-
[417] __fnbamd_cfg_get_pop3_list_by_group-
[422] __fnbamd_cfg_get_pop3_list_by_group-Group 'VPN-Local-Group'
[449] fnbamd_cfg_get_pop3_list-Total pop3 servers to try: 0
[434] start_remote_auth-Total 1 server(s) to try
[1900] handle_req-r=4
[828] __rad_rxtx-fd 10, state 1(Auth)
[830] __rad_rxtx-Stop rad conn timer.
[837] __rad_rxtx-
[605] fnbamd_rad_make_access_request-
[328] __create_access_request-Compose RADIUS request
fnbamd_dbg_hex_pnt[49] EAP msg from client (14)-02 9D 00 0E 01 73 75 70 70 6F 72 74 32 31
[588] __create_access_request-Created RADIUS Access-Request. Len: 141.
[1171] fnbamd_socket_update_interface-vfid is 0, intf mode is 0, intf name is , server address is 172.16.10.231:1812, source address is null, protocol number is 17, oi
f id is 0
[353] __rad_udp_send-oif=0, intf_sel.mode=0, intf_sel.name=
[868] __rad_rxtx-Sent radius req to server 'TOTPRadius': fd=10, IP=172.16.10.231(172.16.10.231:1812) code=1 id=94 len=141
[877] __rad_rxtx-Start rad conn timer.
[828] __rad_rxtx-fd 10, state 1(Auth)
[830] __rad_rxtx-Stop rad conn timer.
[880] __rad_rxtx-
[431] __rad_udp_recv-Recved 80 bytes. Buf sz 8192
[1125] __rad_chk_resp_authenticator-The Message Authenticator validation is mandatory now
[1148] __rad_chk_resp_authenticator-ret=0
[1216] fnbamd_rad_validate_pkt-RADIUS resp code 11
[912] __rad_rxtx-
[1286] fnbamd_rad_process-Result from radius svr 'TOTPRadius' is 2, req 1000760094741
fnbamd_dbg_hex_pnt[49] EAP msg from server (22)-01 9E 00 16 04 10 39 93 7F 9E 4F 73 7A EB 7E CA 8C E8 B2 9C FE 07
[1485] fnbamd_rad_process-Challenged: 1, FTK_Challenge: 0, CHG_PWD: 0, Invaid_Digest: 0, State_Len: 16
[239] fnbamd_comm_send_result-Sending result 2 (nid 0) for req 1000760094741, len=6710
ike V=root:0:FC-LDAP-AUTH:338565 EAP 1000760094741 result FNBAM_CHALLENGED
ike V=root:0:FC-LDAP-AUTH: EAP challenged for user "MG4"
ike V=root:0:FC-LDAP-AUTH:338565: responder preparing EAP pass through message
ike 0:FC-LDAP-AUTH:338565: enc 0000001A019E0016041039937F9E4F737AEB7ECA8CE8B29CFE07050403020105
ike 0:FC-LDAP-AUTH:338565: out D264B77317AF4890717371AE441C596B2E202320000000020000006030000044D36D72CC7AB48368B8A0CE4BA15049986A4AB2EB290315524CE4CFCD745E6EF4F78167C2
0EF12AA5A3C66544ECDF1B544AFC9B5539EADA451207E08A17336944
ike V=root:0:FC-LDAP-AUTH:338565: sent IKE msg (AUTH_RESPONSE): <WAN-IP>:500->172.16.10.166:500, len=96, vrf=0, id=d264b77317af4890/717371ae441c596b:00000002, oi
f=23
[1251] fnbamd_rad_pause-Pausing TOTPRadius:172.16.10.231.
[1255] fnbamd_rad_pause-Stop rad conn timer.
[784] __rad_del_job_timer-
[1259] freeze_auth_session-
ike V=root:0: comes 172.16.10.166:500-><WAN-IP>:500,ifindex=23,vrf=0,len=80....
ike V=root:0: IKEv2 exchange=AUTH id=d264b77317af4890/717371ae441c596b:00000003 len=80
ike 0: in D264B77317AF4890717371AE441C596B2E202308000000030000005030000034CE1B910E2A57C3CBF5E5C45049EF84FD6CB18D6D82E19C0550786F7734C437A4AB468DEBB456B6322EFB59A464948
00A
ike 0:FC-LDAP-AUTH:338565: dec D264B77317AF4890717371AE441C596B2E202308000000030000002B300000040000000B029E0007031A06
ike V=root:0:FC-LDAP-AUTH:338565: responder received EAP msg
ike V=root:0:FC-LDAP-AUTH:338565: send EAP message to FNBAM
ike V=root:0:FC-LDAP-AUTH: EAP 1000760094741 pending
[2336] handle_req-Rcvd chal rsp for req 1000760094741
[1276] unfreeze_auth_session-
[1056] fnbamd_auth_send_chal_rsp-svr_type=2, idx=0
[1865] fnbamd_ldaps_destroy-
[1041] fnbamd_tacs_destroy-
[1330] fnbamd_rads_resume-
[1292] fnbamd_rad_resume-TOTPRadius:172.16.10.231, addr 172.16.10.231
[1315] fnbamd_rad_resume-state 2.
[807] __rad_add_job_timer-
[828] __rad_rxtx-fd 10, state 2(Challenged)
[830] __rad_rxtx-Stop rad conn timer.
[837] __rad_rxtx-
[677] fnbamd_rad_make_chal_request-
[328] __create_access_request-Compose RADIUS request
fnbamd_dbg_hex_pnt[49] EAP msg from client (7)-02 9E 00 07 03 1A 06
[588] __create_access_request-Created RADIUS Access-Request. Len: 152.
[1171] fnbamd_socket_update_interface-vfid is 0, intf mode is 0, intf name is , server address is 172.16.10.231:1812, source address is null, protocol number is 17, oi
f id is 0
[353] __rad_udp_send-oif=0, intf_sel.mode=0, intf_sel.name=
[868] __rad_rxtx-Sent radius req to server 'TOTPRadius': fd=10, IP=172.16.10.231(172.16.10.231:1812) code=1 id=95 len=152
[877] __rad_rxtx-Start rad conn timer.
[828] __rad_rxtx-fd 10, state 2(Challenged)
[830] __rad_rxtx-Stop rad conn timer.
[880] __rad_rxtx-
[431] __rad_udp_recv-Recved 44 bytes. Buf sz 8192
[1125] __rad_chk_resp_authenticator-The Message Authenticator validation is mandatory now
[1148] __rad_chk_resp_authenticator-ret=0
[1216] fnbamd_rad_validate_pkt-RADIUS resp code 3
[1028] __rad_error-Ret 1, st = 2.
[295] fnbamd_radius_get_next_auth_prot-Next auth prot ??
[1077] __rad_error-
[306] __rad_udp_close-closed.
[964] __rad_conn_stop-Stop rad conn timer.
[1286] fnbamd_rad_process-Result from radius svr 'TOTPRadius' is 1, req 1000760094741
fnbamd_dbg_hex_pnt[49] EAP msg from server (4)-04 9E 00 04
[1485] fnbamd_rad_process-Challenged: 0, FTK_Challenge: 0, CHG_PWD: 0, Invaid_Digest: 0, State_Len: 0
[887] update_auth_token_session-mfa_mandatory is off, only success results may require 2fa
[239] fnbamd_comm_send_result-Sending result 1 (nid 0) for req 1000760094741, len=6692
ike V=root:0:FC-LDAP-AUTH:338565 EAP 1000760094741 result FNBAM_DENIED
ike V=root:0:FC-LDAP-AUTH: EAP failed for user "MG4"
[1347] fnbamd_rads_destroy-
ike V=root:0:FC-LDAP-AUTH:338565: responder preparing EAP pass through message
[516] fnbamd_rad_auth_ctx_free-Freeing 'TOTPRadius' ctx
ike 0:FC-LDAP-AUTH:338565: enc 00000008049E00040706050403020107
[1219] fnbamd_rad_auth_ctx_uninit-
ike 0:FC-LDAP-AUTH:338565: out D264B77317AF4890717371AE441C596B2E20232000000003000000503000003456EBF8D8B71B7ED3580748A3C38FEE001E30825E62ED0D40BC5385F69957C0709105D7D8
7D81AC78FC4E98C53DACF324
[964] __rad_conn_stop-Stop rad conn timer.
ike V=root:0:FC-LDAP-AUTH:338565: sent IKE msg (AUTH_RESPONSE): <WAN-IP>:500->172.16.10.166:500, len=80, vrf=0, id=d264b77317af4890/717371ae441c596b:00000003, oi
f=23
ike V=root:0:FC-LDAP-AUTH: connection expiring due to EAP failure
[784] __rad_del_job_timer-
[364] fnbamd_rad_free-Freeing TOTPRadius, ref:2
ike V=root:0:FC-LDAP-AUTH: going to be deleted
[41] __rad_server_free-Freeing 172.16.10.231, ref:2
[519] fnbamd_rad_auth_ctx_free-
[1350] fnbamd_rads_destroy-
[1865] fnbamd_ldaps_destroy-
[1041] fnbamd_tacs_destroy-
[902] fnbamd_pop3s_destroy-
[1070] fnbamd_ext_idps_destroy-
[2366] handle_req-Rcvd abort req for 1000760094741
[2381] handle_req-Can't abort, no active req 1000760094741
ike :shrank heap by 335872 bytes

diagnose debug disable
FG-100F (root) # diag debug app fnbamd 0

AEK

SuperUser

Hi MG4

On your FGT > RADIUS server config, is the authentication method MS-CHAP-v2?
Can you just test the VPN by disable token for the user on your RADIUS server and try again?

AEK

Hhev1

New Member

That may not work. Not mentioned in the fortinet guide, but in a different one https://www.token2.com/site/page/hardware-tokens-for-pptp-vpn-on-windows-server-using-totpradius seems like it only works in PAP

Hhev1

New Member

Try with authentication type set as PAP
As TOTPradius needs to split the password, other methods may not work

MG4Author

Explorer III

Yeah, only PAP or "Default" works. Other authentication methods don't work.

AEK

SuperUser

So if I understand well with this PAP config you just need to concatenate your TOTP with the password, and it should work well.

AEK

Hhev1

New Member

Exactly

MG4AuthorAnswer

Explorer III

AEK

SuperUser

If you don't have FortiAuthenticator then you can try FreeRadius. It is a very powerful RADIUS server and as far as I know it supports MS-CHAP-v2.

AEK

MG4Author

Explorer III

Hi AEK,

I wanted an authentication method using YubiKey without having to purchase an appliance for just 5–10 users. At first, TOTPRadius seemed like a great option, but it no longer does.

On the bright side, I finally figured out how to use certificate authentication with smartcards on FortiGate and LDAPS behind the scenes. So at least I have an alternative solution for my other issue. I guess I was too fixated on LANCOM’s VPN client not being able to read smartcards like the YubiKey, whereas FortiClient works perfectly.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded