| Description | This article explains the configuration required for IPsec dial-up on FortiClient to work with LDAP users. |
| Scope | FortiClient, FortiGate. |
| Solution |
IKEv2, in contrast to IKEv1, uses EAP for authentication. When hash-based EAP-MSCHAPv2 (default for FortiClient) or EAP-PEAP (with inner EAP-MSCHAPv2) method is used by the client, FortiGate cannot perform a regular LDAP bindRequest (which requires plaintext password). Instead, the FortiGate attempts to retrieve any of the following 5 attributes for the user:
These attributes allow the FortiGate to validate EAP-MSCHAPv2 or EAP-PEAP authentication attempts. Note that the most popular LDAP implementations (such as Microsoft's Active Directory) by default refuse to provide such information, thus rendering LDAP-based authentication impossible when EAP-MSCHAPv2 or EAP-PEAP are utilized.
Starting from FortiClient v7.4.3 and onward, EAP-TTLS authentication is supported with IKEv2 and can be used with LDAP authentication: EAP-TTLS support for IPsec VPN 7.4.3.
Note that a FortiClient EMS subscription is also required to enable the EAP method in the XML config of the IPsec tunnel on FortiClient EMS. The required EAP method can also be enabled by taking a configuration backup of VPN-Only unlicensed FortiClient, editing it, and restoring it as outlined here: Technical Tip: How to enable EAP-TTLS for IPSec IKEv2 tunnels in VPN-only (unlicensed) FortiClient.
Example of LDAP search request for these attributes:
The user needs to have one of these attributes to be allowed to authenticate. Here is an example of Active Directory Note: In this field, set the password on the system base selected; this is the value that LDAP uses to authenticate the user:
Note: FortiClient v7.4.4 and above does not support IKEv1. If planning to deploy FortiClient v7.4.4 or later, ensure that IKEv2 is configured.
Related articles: Technical Tip: IKEv2 tunnel fails when LDAP based usergroup is used for EAP |
