IKEV2 + LDAP + MFA

Question

Hi,

We have recently understood that IKEV1 is being phased out and we are currently studying IKEV2 for our IPSEC Dialup connections.

We are a Windows house so we will be using LDAP for our users and I would like to know if anyone can provide feedback about which MFA or 2FA they are using and any associated problems.

I have seen varying information that stated that if we use EAP-MSCHAPV2 we cannot use FortiToken with LDAP accounts. And if we use EAP-TTLS we must have EMS licences but Fortitokens might still be possible.

Can someone confirm which setup the have successfully setup, it must be a LDAP setup and which MFA they are using and any roadblocks that they have come across.

Cheers

funkylicious · Answer

hi,you can enable EAP-TTLS even tho you dont have EMS license, https://community.fortinet.com/t5/FortiGate/Technical-Tip-IKEv2-tunnel-fails-when-LDAP-based-usergroup-is/ta-p/214966#:~:text=add%20the%20same-,%3Ceap_method%3E2%3C/eap_method%3E,-under%20the%20tunnel%27s https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-EAP-TTLS-for-IPSec-IKEv2-tunnels-in/ta-p/408602  you can either use RADIUS/NPS w/ IKEv2 and FortiToken, https://community.fortinet.com/t5/FortiGate/Technical-Tip-IKEv2-Dialup-IPsec-tunnel-with-RADIUS-and/ta-p/220818 or you can try IKEv2 w/ SAML and a IdP like Okta, DUO, FortiAuth or even Keycloak

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded