Skip to main content
secret104278
secret104278
New Member
September 21, 2019
Question

LDAP only work with Cisco IPsec but L2TP/IPsec on Fortigate

  • September 21, 2019
  • 1 reply
  • 9907 views

Hello all,

Is LDAP only work with Cisco IPsec but L2TP/IPsec?

I try to set up VPN for remote access with LDAP with is hosted on Synology NAS, It works well with Cisco IPsec, but when I switch to L2TP/IPsec, only RADIUS work.

 

I want to use L2TP/IPsec because I want my client will able to connect from WINDOW natively.

Besides, I'm not considering to use SSL VPN because I have some embedded devices need to connect VPN, and SSL VPN doesn't have a standard.

 

Is this relate to PAP, MSCHAP or something else. What is different between Cisco IPsec and L2TP/IPsec under Fortigate?

1 reply

emnoc
emnoc
New Member
September 21, 2019

What do you mean by cisco/ipsec? Are you using the cisco ipsec-client ? As far as LDAP , LDAP is just that LDAP. You should be able to  authenticate ldap requests. What I would do is to test the . ldap auth via the cli  and confirm 

 

e.g

      diagnose test authserver ldap <server_name> <username> <password>

 

Define the ldapserver and then test using a test account

 

Ken Felix

 

secret104278
secret104278Author
New Member
September 21, 2019

"Cisco IPsec" means the fortigate ipsec tunnel template "iOS Native", 

"L2TP/IPsec" means the fortigate ipsec tunnel template "Windows Native".

 

When "L2TP/IPsec" + RADIUS, vpn will work on iOS, macOS, Window, Android,

When "L2TP/IPsec" + LDAP, vpn doesn't work at all

When "Cisco IPsec" + LDAP, vpn will work on iOS, macOS

 

There is a system error log when "L2TP/IPsec" + LDAP is that Fortigate failed to communicate with LDAP by MSCHAPv2,

I heard somebody say that LDAP required clear-text password and only accept PAP, if this is true, how can I configure Fortigate to use PAP with LDAP. Besides, why under "Cisco IPsec" fortigate can communicate with LDAP well, what protocol does it use?

emnoc
emnoc
New Member
September 21, 2019

More confusion,  but LDAP has nothing todo with PAP MSchap MSv2CHAP etc.... Sounds like your using RADIUS for the vpn and the back end are LDAP for the authenticator?

 

What is your RADIUS server ? Do you have or have allowed support for PAP within the RADIUS client profile?

 

If the vpn is using radius for authentication, what is the auto-type set as

 

cli cfg for the RADIUS server 

# a typical cfg would look like this

config user radius

  end WindowsNPS

   set auth-type auto|pap|chap|ms_chap

end

 

Ken Felix

 

 

Terms & ConditionsAccessibility statement