Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mle2802
Staff
Staff

Created on ‎09-07-2023 07:54 AM Edited on ‎09-08-2023 06:27 AM By Moderator

Article Id 272614

Technical Tip: Authentication type with IPsec dial-up

Description

This article describes why RADIUS is configured with PAP but IPsec dial-up authentication is still sent using MS-CHAP v2.
Scope

FortiGate.
Solution

A RADIUS server is configured using PAP as the authentication type:

 

show

    config user radius

        edit "Duo-RADIUS"

            set server "172.16.2.1"

            set radius-port 11812

            set auth-type pap

        next

    end

 

However, when running fnbamd debug for IPsec VPN, it is possible to see that the authentication type is sent using MS-CHAPP v2 instead:

 

[1906] handle_req-Rcvd auth req 963834393 for henry@test.com in FortiClient IPSEC Users opt=00000000 prot=5
[466] __compose_group_list_from_req-Group 'FortiClient IPSEC Users', type 1
[616] fnbamd_pop3_start-henry@test.com
[587] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'Duo-RADIUS' for usergroup 'FortiClient IPSEC Users' (1)
[342] fnbamd_create_radius_socket-Opened radius socket 13
[342] fnbamd_create_radius_socket-Opened radius socket 14
[1394] fnbamd_radius_auth_send-Compose RADIUS request
[1351] fnbamd_rad_dns_cb-172.16.2.1->172.16.2.1
[1323] __fnbamd_rad_send-Sent radius req to server 'Duo-RADIUS': fd=13, IP=172.16.2.1(172.16.2.1:11812) code=1 id=167 len=213 user="henry@test.com" using MS-CHAPv2

This happens because the xauth type under IPsec configuration is set to 'auto'. It is possible to force the device to use PAP with the following commands:

 

config vpn ipsec phase1-interface

  edit <Tunnel_name>

      set xauthtype pap
end

Note: For the GUI, convert the tunnel to 'custom'. The 'Type' section will then be possible to change in the XAUTH tab.

Untitled.png

 

After that, run the fnbamd debug again. Upon trying to authenticate, PAP will be used accordingly:

 

[1802] fnbamd_radius_auth_validate_pkt-RADIUS resp code 3
[1385] fnbamd_auth_handle_radius_result-->Result for radius svr 'Duo-RADIUS' 172.16.2.1(1) is 1
[1394] fnbamd_radius_auth_send-Compose RADIUS request
[1323] __fnbamd_rad_send-Sent radius req to server 'Duo-RADIUS': fd=13, IP=172.16.2.1(172.16.2.1:11812) code=1 id=169 len=149 user="henry@test.com" using PAP
[319] radius_server_auth-Timer of rad 'Duo-RADIUS' is added
[2612] handle_auth_rsp-Continue pending for req 963834393
[47] handle_rad_timeout-rad 'Duo-RADIUS' 172.16.2.1 timed out, resend request.
[1323] __fnbamd_rad_send-Sent radius req to server 'Duo-RADIUS': fd=13, IP=172.16.2.1(172.16.2.1:11812) code=1 id=169 len=149 user="henry@test.com" using PAP
1535
Suggest New Article
Article Feedback
Comments
dhu2022
Staff
Staff
‎05-22-2024 03:44 PM

This post is very helpful!!

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.