Skip to main content
michaeladriannewton
michaeladriannewton
New Member
January 12, 2017
Question

XAUTH Authentication Failed

  • January 12, 2017
  • 3 replies
  • 43806 views

Hi,

 

I've created an L2TP/IPsec VPN connection for Remote Users. Authentication is provided by LDAP.

 

Unfortunately during P1 negotiations I get the error returned on the Firewall 'XAUTH Authentication Failed'. This is also reflected on the clients machine with the error 'Wrong Credentials' being displayed on Forticlient.

 

I attempted to create a local user with local firewall authentication but I get the same error message.

 

If anyone has any ideas on what this could be, I would be grateful. It's driving me nuts.

 

Kind regards

 

Michael

    3 replies

    emnoc
    emnoc
    New Member
    January 12, 2017

    A snippet of what you have configured for either  LDAP or local-user would be helpful.

     

    For the former you have a few diag test commands that you can explore for check user/password

     

    e.g

     

    FGT100DNYCNYNY4 (root) $ diag test authserver  ldap "MYLDAPSERV" ken.felix MYPASSWORDHERE authenticate 'ken.felix' against 'MYLDAPSERV' succeeded!  ( output is  redacted )

     

    using this approach validate the

     

    1: search binding

    2: username

    3: password

    4: communication path

     

    Ken

     

    michaeladriannewton
    michaeladriannewtonAuthor
    New Member
    January 13, 2017

    Hi Ken,

     

    We're running 2 x 100D in HA. Both are running a variant of 5.2.

     

    I've created a LDAP connection to a primary DC. I'm able to test the connection to the DC via the GUI. The test runs successfully.

     

    I'm able to query to CN and pull the user information from the CN.

     

    The LDAP Server is titled Primary_LDAP.

     

    I've then created a new user account from 'Users'. I've queried Primary_LDAP and selected the required user from the CN.

     

    I created a User Group called LDAP_User_Group and put the user into this group and added Primary_LDAP as the remote server.

     

    In the VPN XAUTH setup. I have seleted Primary_LDAP to authenticate. I've also added the LDAP_User_Group to the source of the VPN policy.

     

    I ran your test and it failed to authenticate the LDAP user. Local Firewall users also do not work with the VPN connection.

     

    Any ideas greatly appreciated.

     

    Kind regards

     

    Michael

    xsilver_FTNT
    Staff
    xsilver_FTNT
    Staff
    January 17, 2017

    Hi Michael,

     

    in the L2TP/IPSec there should be user group and auth in L2TP.

    IPsec/phase2 should be in transport ... "set encapsulation transport-mode".

    And combo with LDAP reminds me that PPTP/L2TP protocols do support PAP auth protocol only, no CHAP by design.

    Not sure if it's still in there, but FortiOS CLI guide had clear statement ...

     

    --- cit --- "LDAP user authentication is supported for PPTP, L2TP, IPSec VPN, and firewall authentication. With PPTP, L2TP, and IPSec VPN, PAP (Packet Authentication Protocol) is supported and CHAP (Challenge Handshake Authentication Protocol) is not. --- cit --- MS Windows uses MSCHAP or MSCHAPv2 by default ! Android 2.3.5 and above uses MSCHAP protocol. AUTHENTICATION TEST RESULTS: - local user - OK - LDAP - not working (as expected and documented) - Radius - OK MS Windows and how to change host authentication method - step 11 shows where to change auth method: http://kb.cyberoam.com/default.asp?id=1941&Lang=1&SID=#MSWindowsXPConfiguration

     

     

    If you do not have to use L2TP, then I'd strongly recommed to use IPSec only.

     

    misterpimpa
    misterpimpa
    New Member
    February 15, 2017

    Try to use domain admin for ldap server user

    Terms & ConditionsAccessibility statement