Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
GiannisChari
Staff
Staff

Created on ā€Ž06-02-2025 02:02 AM Edited on ā€Ž12-16-2025 08:57 AM By Staff & Editor

Article Id 394380

Technical Tip: IKEv2 dial up VPN with LDAP authentication

Description This article describes the configuration required for IPsec dial-up on FortiClient to work with LDAP users.
Scope FortiClient, FortiGate.
Solution

IKEv2, in contrast to IKEv1, uses EAP for authentication. When hash-based EAP-MSCHAPv2 (default for FortiClient) or EAP-PEAP (with inner EAP-MSCHAPv2) method is used by the client, FortiGate cannot perform a regular LDAP bindRequest (which requires plaintext password). Instead, the FortiGate attempts to retrieve any of the following 5 attributes for the user:

  • ha1Password.
  • userPassword.
  • lmPassword.
  • ntPassword.
  • sambaLmPassword.

 

These attributes allow the FortiGate to validate EAP-MSCHAPv2 or EAP-PEAP authentication attempts. Note that the most popular LDAP implementations (such as Microsoft's Active Directory) by default refuse to provide such information, thus rendering LDAP-based authentication impossible when EAP-MSCHAPv2 or EAP-PEAP are utilized.

 

Starting from FortiClient v7.4.3 and onward, EAP-TTLS authentication is supported with IKEv2 and can be used with LDAP authentication: EAP-TTLS support for IPsec VPN 7.4.3.

 

Note that a FortiClient EMS subscription is also required to enable the EAP method in the XML config of the IPsec tunnel on FortiClient EMS.

The required EAP method can also be enabled by taking a configuration backup of VPN-Only unlicensed FortiClient, editing it, and restoring it as outlined here: Technical Tip: How to enable EAP-TTLS for IPSec IKEv2 tunnels in VPN-only (unlicensed) FortiClient.

 

Example of LDAP search request for these attributes:

 

sk1.png

 

The user needs to have one of these attributes to be allowed to authenticate. Here is an example of Active Directory.

 

Note:

In this field, set the password on the system base selected; this is the value that LDAP uses to authenticate the user:

 

sk2.png

 

When editing the userPassword attribute, one of four value formats must be selected: Hexadecimal, Binary, Decimal, or Octal. For the text 'Fortinet12', the corresponding hexadecimal value is: 46 6F 72 74 69 6E 65 74 31 32. To perform the conversion, any online conversion tool can be used.

 

Note:

If using MFA, deploy FortiClient v7.4.4 or later versions.

For more details, follow the compatibility matrix chart below: Technical Tip: Overview of compatible IKE versions user, user authentication methods, and FortiGate/FortiClient firmware versions.

 

Related articles: 

Technical Tip: IKEv2 tunnel fails when LDAP based usergroup is used for EAP

Technical Tip: Multi-Factor Authentication support for Windows 
Technical Tip: How to enable EAP-TTLS for IPSec IKEv2 tunnels in VPN-only (unlicensed) FortiClient 

Troubleshooting Tip: Dialup IPsec VPN with FortiToken fails to connect
11139
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.