| Description | This article explains the configuration required for IPsec dial-up on FortiClient to work with LDAP users. |
| Scope | FortiClient, FortiGate. |
| Solution |
IKEv2, in contrast to IKEv1, uses EAP for authentication. When hash-based EAP-MSCHAPv2 (default for FortiClient) or EAP-PEAP(with inner EAP-MSCHAPv2) method is used by the client, FortiGate cannot perform a regular LDAP bindRequest (which requires plaintext password). Instead, the FortiGate attempts to retrieve any of the following 5 attributes for the user:
These attributes allow the FortiGate to validate EAP-MSCHAPv2 or EAP-PEAP authentication attempts. Note that the most popular LDAP implementations (such as Microsoft's Active Directory) by default refuse to provide such information, thus rendering LDAP-based authentication impossible when EAP-MSCHAPv2 or EAP-PEAP are utilized.
Starting from FortiClient v7.4.3 and onward, EAP-TTLS authentication is supported with IKEv2 and can be used with LDAP authentication: EAP-TTLS support for IPsec VPN 7.4.3.
Note that a FortiClient EMS subscription is also required to enable the EAP method in the XML config of the IPsec tunnel on FortiClient EMS.
Example of LDAP searchRequest for these attributes:
The user needs to have one of these attributes to be allowed to authenticate. Here is an example of Active Directory Note: In this field, set the password on the system base selected; this is the value that LDAP uses to authenticate the user:
Related article: Technical Tip: IKEv2 tunnel fails when LDAP based usergroup is used for EAP |
