Skip to main content
Eric_Baldwin
Eric_Baldwin
New Member
January 16, 2017
Question

IPSec VPN with Active Directory Authentication

  • January 16, 2017
  • 2 replies
  • 17558 views

I have created a VPN tunnel with the Windows Dialup Template and used a group within the VPN setup to look to for authentication. I created a local firewall test user and placed in group to find that all works successfully. I am able to ping my local servers while connecting through a Verizon hotspot or remote network.

 

I created a user from active directory by going to firewall users and selecting LDAP user. After placing this user into the VPN group i am not able to authenticate. I've made sure my DC DNS servers are specified and tried different security options on the windows 7 side. Example PAP, CHAP, CHAP v2.

 

Any suggestions?

 

I have a FortiGate 100D on 5.4.3 build 1111

    2 replies

    brycemd
    brycemd
    New Member
    January 17, 2017

    Ensure you are using the correct username. By default for the LDAP server, IIRC, it is by 'cn' not 'sAMAccountName'. Which means the username would be the full name. Either try the full name or change the LDAP server Common Name Identifier from cn to sAMAccountName

    Heyro
    Heyro
    New Member
    January 17, 2017

    In our company we use firstname.lastname as credentials. When using "CN" in the Common Name Identifier field, the users authenticate with firstname lastname. Instead of the "." they have to use a space. Changing this to "sAMAccountName" in the Common Name Identifier field solved the problem.

    CodeTron
    CodeTron
    Explorer II
    April 5, 2017

    Make sure that you have the followings in your LDAP connection string:

    Common name identifier : sAMAccountName

    and the user name should be in this format:

    CN=administrator,CN=Users,DC=domain,DC=com

     

    Note: replace domain with your domain name

    Terms & ConditionsCookie settingsAccessibility statement