PPTP VPN user authentication over LDAP Server Problem

Question

Hi All,I have 311B Fortigate, version 5.2.1.I have recently tryied to configure  PPTP VPN and authenticating with LDAP Domain Controller. After fist creating users then users group and then configuring the LDAP. When I finish LDAP configuration, testing is successful. when I try to connect to VPN, it is failed. After having many times unsuccessful pptp VPN connection, I looked at the policy and I changed the policy any to any policy on WAN interface in the first of the policy list. But this didn't help fixing this problem.In order to delving into this VPN problem, I just create a local user on the Fortigate and PPTP VPN connection is working without making change the current PPTP VPN connection configuation.In other words, Local user VPN is okay but authenticating user with LDAP is not working....As I [provide some logs and configuration at the follow section, can you please advise how I can come over this VPN problem? [style="background-color: #ffff00;"]BAL_FTG # sh user ldap[/style] config user ldap  edit "vitdc002"  set server "10.10.49.231"  set cnid "sAMAccountName"  set dn "cn=users,dc=tiv,dc=org,dc=com"  set type regular  set username "Erdal Eker"  set password ENC EG*******************  set secure ldaps  set port 636  next [style="background-color: #ffff00;"]BAL_FTG # sh vpn pptp[/style] config vpn pptp  set status enable  set eip 10.10.10.100  set sip 10.10.10.1  set usrgrp "pptp_user_group" endBAL_FTG # [style="background-color: #ffff00;"]BAL_FTG # sh user group pptp_user_group[/style] config user group  edit "pptp_user_group"  set member "erdal" "SChakravarti" "pptp_user_01" "Train2" "pptp_user_02" "nbarboussas" "eeker" "vitdc002"  config match  edit 1  set server-name "vitdc002"  set group-name "CN=Domain Users,CN=Users,DC=tiv,DC=org,DC=com"  next  end  next endBAL_FTG #------------------------------------------------------- [style="background-color: #ffff00;"]LDAP user quick test:[/style]BAL_FTG # diag test authserver ldap vitdc002 erdal *****........fnbamd_ldap.c[135] __ldap_copy_grp_list-copied CN=Domain Users,CN=Users,DC=tiv,DC=org,DC=com fnbamd_auth.c[2194] fnbamd_auth_poll_ldap-Result for ldap svr 10.10.49.231 is [style="background-color: #ffff00;"]SUCCESS[/style]...........-------------------------------------------------------------------------------[style="background-color: #ffff00;"]Some log when trying to PPTP VPN access:[/style]BAL_FTG (ldap) # fnbamd_fsm.c[1819] handle_req-Rcvd auth req 233 for eeker in pptp_user_group opt=0 prot=4fnbamd_fsm.c[336] __compose_group_list_from_req-Group 'pptp_user_group' fnbamd_pop3.c[573] fnbamd_pop3_start-eeker fnbamd_auth.c[300] radius_start-Didn't find radius servers (0) fnbamd_auth.c[685] auth_tac_plus_start-Didn't find tac_plus servers (0) fnbamd_fsm.c[420] create_auth_session-Error starting authentication fnbamd_fsm.c[1838] handle_req-Error creating session fnbamd_comm.c[169] fnbamd_comm_send_result-Sending result 3 for req 233

Jeff_FTNT · Accepted Answer

If using RADIUS/Local, you may use Non-PAP like CHAP/MS-CHAP/MS-CHAPv2. For LDAP, only PAP support it, thanks.

Jeff_FTNT · Answer

PPTP with LDAP only support PAP.Please check it on your PPTP client , like Windows PCCheck it at PPTP properties->Security->Advanced Security Settings-> PAP. Thanks.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded