Table of Contents:

• Section 1 - Windows AD LDAP
• Section 2 - FortiAuthenticator
• Section 3 - FortiGate
• Section 4 - Client Device
• Section 5 - Troubleshooting

Section 1 - Windows AD LDAP: The screenshot here shows the users that have been configured in the LDAP server.

The username demonstrated in this example would be ‘test1’. Its UPN (userPrincipalName) is ‘test1@POING.local’.

Section 2 - FortiAuthenticator: In FortiAuthenticator, the root CA certificate and server/user certificates are generated and will be used for authentication purposes for both IKE and users.

Create the Root CA Certificate under Certificate Management -> Certificate Authorities -> Local CAs:

The CN of the root CA should be the FQDN of the FortiAuthenticator found in System -> Dashboard -> Status; under the System Information widget, Device FQDN. In this example case, as the Device FQDN is 10.56.242.190, this will be used as the CN of the root CA as well.

Export the newly created Root CA Certificate. This Root CA Certificate will have to be imported into the FortiGate and installed in the client device (Trusted Root Certification Authorities folder in Windows):

Create the Server Certificate. This certificate will be imported and used by the dial-up IPsec on the FortiGate for mutual authentication purposes:

After the server certificate has been created, select the certificate and select the ‘Export Key and Cert’ button, and give it a password. This will download the certificate with the .pfx extension, which can then be imported into the FortiGate.

Create the User Certificate. This certificate will be installed on the user’s machine for authenticating to the VPN. In this certificate, the UPN field under the ‘Other Subject Alternative Name’ section will have to be configured with the username that matches the username in the LDAP server. Ensure the username configured here is the userPrincipalName of the user in the LDAP server. In this case, the test user ‘test1’ has a userPrincipalName of ‘test1@POING.local’.

After the user certificate has been created, select the certificate and select the ‘Export Key and Cert’ button, and give it a password. This will download the certificate with the .pfx extension, which can then be imported into the client device.

Section 3 - FortiGate: In the FortiGate, the root CA certificate and server certificate will be imported. The IKEv2 dial-up IPsec tunnel, LDAP server, and PKI user group will be created.

Import the root CA certificate. Go to System -> Certificates. Select Create/Import -> CA Certificate. After uploading the root CA certificate, it should look like this:

Import the server certificate. This certificate will be used in the IKEv2 dial-up IPsec under Signature instead of Pre-Shared Key. Go to System -> Certificates. Select Create/Import -> Certificate. Select Import Certificate and under Type, select PKCS #12 Certificate; upload the .pfx server certificate and enter the password. After uploading the server certificate successfully, it should look like this:

Create the LDAP Server. Go to User & Authentication -> LDAP Servers. Ensure the Common Name Identifier is userPrincipalName instead of CN:

Create the PKI user through the CLI:

• Under ‘set ca’, ensure the root CA certificate is selected.
• Under ‘mfa-server’, ensure the name of the LDAP server is selected.
• ‘mfa-mode subject-identity’ is used so that FortiGate uses the unique identifier in the certificate to authenticate against the LDAP Server. Related document: Using the SAN field for LDAP-integrated certificate authentication 

IKEv2 dial-up IPsec configuration:

• ‘authmethod’ is now a signature instead of the default pre-shared key.
• ‘certificate’ is where the server certificate that was imported earlier is configured.
• ‘peer’ is where the peer/pki user group that was created earlier is selected.
• Split or Full tunnel can be configured.

Firewall policy configuration:

• Ensure the user group is only configured on either the IPsec tunnel or firewall policy.
• In this case, this is a full-tunnel ipsec vpn.

Section 4 - Client Device: Install the root CA certificate into the Trusted Root Certification Authority folder:

Install the user certificate into the Personal folder. As this is a .pfx certificate, there is a password that has to be entered, which was created previously during the user certificate generation process:

Inside the Windows Certificate Manager, the certificates should then look like this:

Root CA Certificate:

User Certificate:

FortiClient configuration: this is FortiClient v7.4.3:

Upon successful connection to the IPsec dial-up VPN, the connected user should look like this on the FortiGate:

Section 5 - Troubleshooting:

diagnose debug console time enable

diagnose debug application ike -1

diagnose debug application fnbamd -1

diagnose debug enable

Successful authentication attempt:

Failed authentication attempt: reproduced by disabling the matching user on the LDAP server:

Failed authentication attempt, which is reproduced by disabling the matching user on the LDAP server:  IKE + fnbamd debugs:

2025-10-23 18:33:06.589476 ike V=root:0:fct:9: received peer identifier DER_ASN1_DN 'CN = test1'

2025-10-23 18:33:06.589511 ike V=root:0:fct:9: re-validate gw ID

2025-10-23 18:33:06.589550 ike V=root:0:fct:9: gw validation OK

2025-10-23 18:33:06.589590 ike V=root:0:fct:9: Validating X.509 certificate

2025-10-23 18:33:06.589821 ike V=root:0:fct:9: peer cert, subject='test1', issuer='10.56.242.190'

2025-10-23 18:33:06.589870 ike V=root:0:fct:9: peer ID verified

2025-10-23 18:33:06.589899 ike V=root:0:fct:9: building fnbam peer candidate list

2025-10-23 18:33:06.589925 ike V=root:0:fct:9: FNBAM_GROUP_NAME candidate 'fctipsecdialup'

2025-10-23 18:33:06 [2405] handle_req-Rcvd auth_cert req id=9436254199814, len=2023, opt=6

2025-10-23 18:33:06.598696 ike V=root:0:fct:9: certificate validation pending

2025-10-23 18:33:06 [1161] __cert_auth_ctx_init-req_id=9436254199814, opt=6

2025-10-23 18:33:06 [103] __cert_chg_st- 'Init'

2025-10-23 18:33:06 [201] fnbamd_cert_load_certs_from_req-1 cert(s) in req.

2025-10-23 18:33:06 [839] __cert_init-req_id=9436254199814

2025-10-23 18:33:06 [888] __cert_build_chain-req_id=9436254199814

2025-10-23 18:33:06 [319] fnbamd_chain_build-Chain discovery, opt 0x13, cur total 1

2025-10-23 18:33:06 [337] fnbamd_chain_build-Following depth 0

2025-10-23 18:33:06 [372] fnbamd_chain_build-Extend chain by system trust store. (good: 'CA_Cert_4')

2025-10-23 18:33:06 [337] fnbamd_chain_build-Following depth 1

2025-10-23 18:33:06 [351] fnbamd_chain_build-Self-sign detected.

2025-10-23 18:33:06 [99] __cert_chg_st- 'Init' -> 'Validation'

2025-10-23 18:33:06 [1010] __cert_verify-req_id=9436254199814

2025-10-23 18:33:06 [1011] __cert_verify-Chain is complete.

2025-10-23 18:33:06 [536] fnbamd_cert_verify-Chain number:2

2025-10-23 18:33:06 [550] fnbamd_cert_verify-Following cert chain depth 0

2025-10-23 18:33:06 [625] fnbamd_cert_verify-Issuer found: CA_Cert_4 (SSL_DPI opt 1)

2025-10-23 18:33:06 [550] fnbamd_cert_verify-Following cert chain depth 1

2025-10-23 18:33:06 [705] fnbamd_cert_check_group_list-checking group with name 'fctipsecdialup'

2025-10-23 18:33:06 [518] __check_add_peer-check 'fctipsecdialup'

2025-10-23 18:33:06 [83] fnbamd_peer_ldap_push-Check LDAP setting of peer user 'fctipsecdialup'

2025-10-23 18:33:06 [348] fnbamd_ldap_get-vfid=0, name='ldap'

2025-10-23 18:33:06 [525] __check_add_peer-'fctipsecdialup' check ret:pending

2025-10-23 18:33:06 [739] fnbamd_cert_check_group_list-LDAP servers

2025-10-23 18:33:06 [742] fnbamd_cert_check_group_list-    'ldap', (Principle-Name), ref=2

2025-10-23 18:33:06 [198] __get_default_ocsp_ctx-def_ocsp_ctx=(nil), no_ocsp_query=0, ocsp_enabled=0

2025-10-23 18:33:06 [778] fnbamd_cert_check_group_list-Peer users2025-10-23 18:33:06 [1392] __ldap_tcps_connect-tcps_connect(10.191.1.231) is established. Current state: Connecting.

2025-10-23 18:33:06 [1149] __ldap_auth_ctx_reset-

2025-10-23 18:33:06 [999] __ldap_next_state-State: Connecting -> Admin Binding

2025-10-23 18:33:06 [1407] __ldap_tcps_connect-Start ldap conn timer.

2025-10-23 18:33:06 [1250] __ldap_rxtx-fd 11, state 2(Admin Binding)

2025-10-23 18:33:06 [1252] __ldap_rxtx-Stop ldap conn timer.

2025-10-23 18:33:06 [1261] __ldap_rxtx-

2025-10-23 18:33:06 [472] __ldap_build_bind_req-Binding to 'POING\Administrator'

2025-10-23 18:33:06 [1261] fnbamd_ldap_send-sending 47 bytes to 10.191.1.231

2025-10-23 18:33:06 [1274] fnbamd_ldap_send-Request is sent. ID 1

2025-10-23 18:33:06 [1149] __ldap_auth_ctx_reset-

2025-10-23 18:33:06 [1286] __ldap_rxtx-Start ldap conn auth timer.

2025-10-23 18:33:06 [1250] __ldap_rxtx-fd 11, state 2(Admin Binding)

2025-10-23 18:33:06 [1252] __ldap_rxtx-Stop ldap conn timer.

2025-10-23 18:33:06 [1289] __ldap_rxtx-

2025-10-23 18:33:06 [1305] __fnbamd_ldap_read-Read 8

2025-10-23 18:33:06 [1411] fnbamd_ldap_recv-Leftover 2

2025-10-23 18:33:06 [1305] __fnbamd_ldap_read-Read 14

2025-10-23 18:33:06 [1484] fnbamd_ldap_recv-Response len: 16, svr: 10.191.1.231

2025-10-23 18:33:06 [1164] fnbamd_ldap_parse_response-Got one MESSAGE. ID:1, type:bind

2025-10-23 18:33:06 [1200] fnbamd_ldap_parse_response-ret=0

2025-10-23 18:33:06 [1149] __ldap_auth_ctx_reset-

2025-10-23 18:33:06 [999] __ldap_next_state-State: Admin Binding -> DN Search

2025-10-23 18:33:06 [1354] __ldap_rxtx-Start ldap conn timer.

2025-10-23 18:33:06 [1250] __ldap_rxtx-fd 11, state 4(DN Search)

2025-10-23 18:33:06 [1252] __ldap_rxtx-Stop ldap conn timer.

2025-10-23 18:33:06 [1261] __ldap_rxtx-

2025-10-23 18:33:06 [888] fnbamd_ldap_build_dn_search_req-base:'DC=POING,DC=local' filter:(&(userPrincipalName=test1@POING.local)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

2025-10-23 18:33:06 [1261] fnbamd_ldap_send-sending 143 bytes to 10.191.1.231

2025-10-23 18:33:06 [1274] fnbamd_ldap_send-Request is sent. ID 2

2025-10-23 18:33:06 [1149] __ldap_auth_ctx_reset-

2025-10-23 18:33:06 [1286] __ldap_rxtx-Start ldap conn auth timer.

2025-10-23 18:33:06 [1250] __ldap_rxtx-fd 11, state 4(DN Search)

2025-10-23 18:33:06 [1252] __ldap_rxtx-Stop ldap conn timer.

2025-10-23 18:33:06 [1289] __ldap_rxtx-

2025-10-23 18:33:06 [1305] __fnbamd_ldap_read-Read 8

2025-10-23 18:33:06 [1411] fnbamd_ldap_recv-Leftover 2

2025-10-23 18:33:06 [1305] __fnbamd_ldap_read-Read 78

2025-10-23 18:33:06 [1484] fnbamd_ldap_recv-Response len: 80, svr: 10.191.1.231

2025-10-23 18:33:06 [1164] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference

2025-10-23 18:33:06 [1200] fnbamd_ldap_parse_response-ret=0

2025-10-23 18:33:06 [1289] __ldap_rxtx-

2025-10-23 18:33:06 [1305] __fnbamd_ldap_read-Read 8

2025-10-23 18:33:06 [1411] fnbamd_ldap_recv-Leftover 2

2025-10-23 18:33:06 [1305] __fnbamd_ldap_read-Read 78

2025-10-23 18:33:06 [1484] fnbamd_ldap_recv-Response len: 80, svr: 10.191.1.231

2025-10-23 18:33:06 [1164] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference

2025-10-23 18:33:06 [1200] fnbamd_ldap_parse_response-ret=0

2025-10-23 18:33:06 [1289] __ldap_rxtx-

2025-10-23 18:33:06 [1305] __fnbamd_ldap_read-Read 8

2025-10-23 18:33:06 [1411] fnbamd_ldap_recv-Leftover 2

2025-10-23 18:33:06 [1305] __fnbamd_ldap_read-Read 62

2025-10-23 18:33:06 [1484] fnbamd_ldap_recv-Response len: 64, svr: 10.191.1.231

2025-10-23 18:33:06 [1164] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference

2025-10-23 18:33:06 [1200] fnbamd_ldap_parse_response-ret=0

2025-10-23 18:33:06 [1289] __ldap_rxtx-

2025-10-23 18:33:06 [1305] __fnbamd_ldap_read-Read 8

2025-10-23 18:33:06 [1411] fnbamd_ldap_recv-Leftover 2

2025-10-23 18:33:06 [1305] __fnbamd_ldap_read-Read 14

2025-10-23 18:33:06 [1484] fnbamd_ldap_recv-Response len: 16, svr: 10.191.1.231

2025-10-23 18:33:06 [1164] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-result

2025-10-23 18:33:06 [1200] fnbamd_ldap_parse_response-ret=0

2025-10-23 18:33:06 [915] __ldap_next_state-No DN is found.

2025-10-23 18:33:06 [1149] __ldap_auth_ctx_reset-

2025-10-23 18:33:06 [999] __ldap_next_state-State: DN Search -> Done

2025-10-23 18:33:06 [392] __cert_ldap_query_cb-LDAP ret=1, server='ldap', req_id=9436254199814

2025-10-23 18:33:06 [271] __cert_resume-req_id=9436254199814

2025-10-23 18:33:06 [99] __cert_chg_st- 'Status-Query' -> 'Done'

2025-10-23 18:33:06 [1098] __cert_done-req_id=9436254199814

2025-10-23 18:33:06 [1559] fnbamd_auth_session_done-Session done, id=9436254199814

2025-10-23 18:33:06 [1144] __fnbamd_cert_auth_run-Exit, req_id=9436254199814

2025-10-23 18:33:06 [1550] __auth_cert_session_done-id=9436254199814

2025-10-23 18:33:06 [1515] auth_cert_success-id=9436254199814

2025-10-23 18:33:06 [1256] fnbamd_cert_auth_copy_cert_status-req_id=9436254199814

2025-10-23 18:33:06 [884] fnbamd_cert_check_matched_groups-checking group with name 'fctipsecdialup'

2025-10-23 18:33:06 [954] fnbamd_cert_check_matched_groups-not matched

2025-10-23 18:33:06 [1295] fnbamd_cert_auth_copy_cert_status-Leaf cert status is unchecked.

2025-10-23 18:33:06 [1383] fnbamd_cert_auth_copy_cert_status-Cert st 2c0, req_id=9436254199814

2025-10-23 18:33:06 [239] fnbamd_comm_send_result-Sending result 0 (nid 672) for req 9436254199814, len=2592

2025-10-23 18:33:06.906178 ike V=root:0:fct:9: fnbam cert group matching failed

2025-10-23 18:33:06.906228 ike V=root:0:fct:9: certificate validation failed

2025-10-23 18:33:06.906423 ike V=root:0:fct:9: certificate validation failed

2025-10-23 18:33:06.906570 ike V=root:0:fct:9: auth verify done

2025-10-23 18:33:06.906708 ike V=root:0:fct:9: responder AUTH continuation

2025-10-23 18:33:06.906864 ike V=root:0:fct:9: authentication failed