Technical Tip: IKEv2 tunnel fails when LDAP based usergroup is used for xauth

This article describes how the EAP authentication fails when an LDAP-based user group is referred in the IKEv2 tunnel.

To enable XAUTH in the IKEv2 configuration, EAP (Extensible Authentication Protocol) needs to be enabled. EAP uses many schemes for authentication i.e. CHAP, MSHAP, MSCHAP2. The RADIUS server can easily support these schemes.

However there is no standard for EAP and LDAP, and most LDAP servers do not support EAP. If a FortiGate uses LDAP for user authentication, neither CHAP, MSHAP, nor MSCHAP2 can be used.

The reason is that during CHAP, MSCHAP, and MSCHAPv2 authentication, a client sends a one-way hash of the password.

However LDAP servers expect passwords in clear text.

The FortiGate which is acting as the LDAP client does not have the user passwords, nor can it convert a hashed password to a clear-text password.

So when FortiGate attempts to send out the EAP request it will first list the available radius servers for that group.

If no Radius servers are found, then it will try itself (127.0.0.1).

The same can be seen on eap_proxy and fnbamd debugs below.

Debugs:

ike 0: comes 10.15.1.62:500->10.15.3.4:500,ifindex=11,vrf=0....

ike 0:VPN_IKEv2:3: responder preparing EAP identity request

ike 0:VPN_IKEv2:3: responder received EAP msg

ike 0:VPN_IKEv2:3: send EAP message to FNBAM

ike 0:VPN_IKEv2:3: initiating EAP authentication   <--- Initiating EAP authentication.

ike 0:VPN_IKEv2: EAP user "testuser"

ike 0:VPN_IKEv2: auth group vpngroup

ike 0:VPN_IKEv2: EAP 197822582 pending

[1909] handle_req-Rcvd auth req 197822582 for testuser in vpngroup opt=00000000 prot=8

[466]__compose_group_list_from_req-Group 'vpngroup',type 1

[617] fnbamd_pop3_start-testuser

[644] fnbamd_cfg_get_radius_list-Loading RADIUS server 'eap_proxy'

[343] fnbamd_create_radius_socket-Opened radius socket 14

[343] fnbamd_create_radius_socket-Opened radius socket 15

[1391] fnbamd_radius_auth_send-Compose RADIUS request

fnbamd_dbg_hex_pnt[48] EAP msg from client (13)-02 03 00 0D 01 74 65 73 74 75 73 65 72

[1351] fnbamd_rad_dns_cb-127.0.0.1->127.0.0.1 <--- FortiGate preparing RADIUS request to itself at 127.0.0.1.

[1329] __fnbamd_rad_send-Sent radius req to server 'eap_proxy': fd=14, IP=127.0.0.1(127.0.0.1:1812) code=1 id=6 len=153 user="testuser" using EAP

RADIUS SRV: Received 153 bytes from 127.0.0.1:5894

[320] radius_server_auth-Timer of rad 'eap_proxy' is added

<More>

RADIUS SRV: Creating a new session

RADIUS SRV: User-Name - hexdump_ascii(len=8):

[1650] fnbamd_ldap_init-Invalid params

     74 65 73 74 75 73 65 72                           testuser

RADIUS SRV: Matching user entry found

RADIUS SRV: NAS-ID - hexdump_ascii(len=9):

     46 47 31 30 30 45 2d 30 31                        FG100E-01

RADIUS SRV: CALLING-STATION-ID - hexdump_ascii(len=10):

     31 30 2e 31 35 2e 31 2e 36 32                     10.15.1.62

RADIUS SRV: SVC_TYPE - hexdump_ascii(len=9):

     76 70 6e 2d 69 6b 65 76 32                        vpn-ikev2

EAP: Server state machine created

RADIUS SRV: New session 0x2 initialized

RADIUS SRV: Received EAP data - hexdump(len=13):

 02 03 00 0d 01 74 65 73 74 75 73 65 72

EAP: EAP entering state INITIALIZE

EAP: parseEapResp: rxResp=1 respId=3 respMethod=1 respVendor=0 respVendorMethod=0

CTRL-EVENT-EAP-STARTED 00:00:00:00:00:00

EAP: EAP entering state PICK_UP_METHOD

CTRL-EVENT-EAP-PROPOSED-METHOD method=1

EAP: EAP entering state METHOD_RESPONSE

EAP-Identity: Peer identity - hexdump_ascii(len=8):

     74 65 73 74 75 73 65 72                           testuser

EAP: EAP entering state SELECT_ACTION

EAP: getDecision: another method available -> CONTINUE

EAP: EAP entering state PROPOSE_METHOD

EAP: getNextMethod: vendor 0 type 26

CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=26

EAP: EAP entering state METHOD_REQUEST

EAP: building EAP-Request: Identifier 4

EAP-MSCHAPV2: Challenge - hexdump(len=16):

 e6 ef 53 9f 90 2f f3 e0 a0 c0 21 2d 98 bf fb 61

EAP: EAP entering state SEND_REQUEST

EAP: EAP entering state IDLE

EAP: retransmit timeout 3 seconds (from dynamic back off; retransCount=0)

RADIUS SRV: EAP data from the state machine - hexdump(len=33):

 01 04 00 21 1a 01 04 00 1c 10 e6 ef 53 9f 90 2f f3 e0 a0 c0 21 2d 98 bf fb 61 68 6f 73 74 61 70

RADIUS SRV: Reply to 127.0.0.1:5894

[1356] fnbamd_auth_handle_radius_result-Timer of rad 'eap_proxy' is deleted

[1799] fnbamd_radius_auth_validate_pkt-RADIUS resp code 11

fnbamd_dbg_hex_pnt[48] EAP msg from server (33)-01 04 00 21 1A 01 04 00 1C 10 E6 EF 53 9F 90 2F F3 E0 A0 C0 21 2D 98 BF FB 61 68 6F 73 74 61 70 64

[1382] fnbamd_auth_handle_radius_result --> Result for radius svr 'eap_proxy' 127.0.0.1(1) is 2  <--- Radius Challenge.

[217] fnbamd_comm_send_result-Sending result 2 (nid 0) for req 197822582, len=3085

[1781] fnbamd_ldap_pause-

ike 0:VPN_IKEv2:3 EAP 197822582 result 2

ike 0:VPN_IKEv2: EAP challenged for user "testuser"                   <--- EAP challenge for user.

ike 0:VPN_IKEv2:3: responder preparing EAP pass through message

[1278] freeze_auth_session-

EAP: EAP entering state RECEIVED

EAP: parseEapResp: rxResp=1 respId=4 respMethod=26 respVendor=0 respVendorMethod=0

EAP: EAP entering state INTEGRITY_CHECK

EAP: EAP entering state METHOD_RESPONSE

EAP-MSCHAPV2: Peer-Challenge - hexdump(len=16):

 33 5c db 48 b0 71 51 8f ca a6 5a 03 ed 74 6e aa

EAP-MSCHAPV2: Name - hexdump_ascii(len=8):

     74 65 73 74 75 73 65 72                           testuser

EAP-MSCHAPV2: User name - hexdump_ascii(len=8):

     74 65 73 74 75 73 65 72                           testuser

EAP: EAP entering state WAIT_FNBAM_AUTH

[1909] handle_req-Rcvd auth req 197822583 for testuser in vpngroup opt=00000000 prot=4

[466] __compose_group_list_from_req-Group 'vpngroup', type 1

[617] fnbamd_pop3_start-testuser

[380] radius_start-Didn't find radius servers (0)

[750] auth_tac_plus_start-Didn't find tac_plus servers (0)

[1015] __fnbamd_cfg_get_ldap_list_by_group-

[1083] __fnbamd_cfg_get_ldap_list_by_group-Loaded LDAP server 'ldap' for usergroup 'vpngroup' (2)

[1131] fnbamd_cfg_get_ldap_list-Total ldap servers to try: 1

[1713] fnbamd_ldap_init-search filter is: SAMAccountName=testuser

[1722] fnbamd_ldap_init-search base is: dc=fortinet,dc=net

[1146] __fnbamd_ldap_dns_cb-Resolved ldap:10.12.12.1 to 10.12.12.1, cur stack size:1

[919] __fnbamd_ldap_get_next_addr-

[1152] __fnbamd_ldap_dns_cb-Connection starts ldap:10.12.12.1, addr 10.12.12.1      <--- Connection to LDAP is established since VPN configuration has LDAP user-group 'vpngroup'.

[755] __ldap_destroy-

[1764] fnbamd_ldap_auth_ctx_free-Freeing 'ldap' ctx

EAP-MSCHAPV2: Invalid NT-Response

EAP: EAP entering state METHOD_REQUEST

EAP: building EAP-Request: Identifier 5

EAP-MSCHAPV2: Failure Request Message - hexdump_ascii(len=57):

     45 3d 36 39 31 20 52 3d 30 20 43 3d 30 30 30 30   E=691 R=0 C=0000

     30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000

     30 30 30 30 30 30 30 30 30 30 30 30 20 56 3d 33   000000000000 V=3

     20 4d 3d 46 41 49 4c 45 44                         M=FAILED

EAP: EAP entering state SEND_REQUEST

EAP: EAP entering state IDLE

EAP: retransmit timeout 3 seconds (from dynamic back off; retransCount=0)

ike 0:VPN_IKEv2:3: waiting for RADIUS response

[48] handle_rad_timeout-rad 'eap_proxy' 127.0.0.1 timed out, resend request.

[1329] __fnbamd_rad_send-Sent radius req to server 'eap_proxy': fd=14, IP=127.0.0.1(127.0.0.1:1812) code=1 id=7 len=213 user="testuser" using EAP

RADIUS SRV: Received 213 bytes from 127.0.0.1:5348

RADIUS SRV: Received data - hexdump(len=213):

 01 07 00 d5 d8 e6 ef 3d c7 0e 24 5b 66 89 f1 4b 66 0d 13 a0 20 0b 46 47 31 30 30 45 2d 30 31 18

 06 00 00 00 02 01 0a 74 65 73 74 75 73 65 72 4f 45 02 04 00 43 1a 02 04 00 3e 31 33 5c db 48 b0

 71 51 8f ca a6 5a 03 ed 74 6e aa 00 00 00 00 00 00 00 00 e9 47 61 d9 f5 43 b7 10 00 82 0b 8e 73

 68 ad 24 d5 e7 33 a9 16 b8 b2 a3 00 74 65 73 74 75 73 65 72 08 06 0a 0f 01 3e 05 06 00 00 00 01

 3d 06 00 00 00 05 1f 0c 31 30 2e 31 35 2e 31 2e 36 32 2c 0a 30 62 63 61 38 38 37 36 4d 0b 76 70

 6e 2d 69 6b 65 76 32 1a 0c 00 00 30 44 03 06 72 6f 6f 74 1a 10 00 00 30 44 01 0a 76 70 6e 67 72

 6f 75 70 50 12 9c c7 70 16 99 bc 95 e3 f4 9b e1 2a b9 a6 88 2f

EAP: EAP entering state RECEIVED

EAP: parseEapResp: rxResp=1 respId=4 respMethod=26 respVendor=0 respVendorMethod=0

EAP: RECEIVED->DISCARD: rxResp=1 respId=4 currentId=5 respMethod=26 currentMethod=26

EAP: EAP entering state DISCARD

EAP: EAP entering state IDLE

EAP: retransmit timeout 3 seconds (from dynamic back off; retransCount=0)

RADIUS SRV: EAP data from the state machine - hexdump(len=66):

RADIUS SRV: Reply to 127.0.0.1:5348

[1356] fnbamd_auth_handle_radius_result-Timer of rad 'eap_proxy' is deleted

[1799] fnbamd_radius_auth_validate_pkt-RADIUS resp code 11

fnbamd_dbg_hex_pnt[48] EAP msg from server (66)-01 05 00 42 1A 04 04 00 3D 45 3D 36 39 31 20 52 3D 30 20 43 3D 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 20 56 3D 33 20 4D 3D 46 41 49 4C 45 44

[1382] fnbamd_auth_handle_radius_result-->Result for radius svr 'eap_proxy' 127.0.0.1(1) is 2

[217] fnbamd_comm_send_result-Sending result 2 (nid 0) for req 197822582, len=3118

ike 0:VPN_IKEv2:3 EAP 197822582 result 2

[1278] freeze_auth_session-

ike 0:VPN_IKEv2: EAP challenged for user "testuser"

ike 0:VPN_IKEv2:3: responder preparing EAP pass through message

ike 0:VPN_IKEv2:3: responder received EAP msg

ike 0:VPN_IKEv2:3: send EAP message to FNBAM

ike 0:VPN_IKEv2: EAP 197822582 pending

[2298] handle_req-Rcvd chal rsp for req 197822582

[343] fnbamd_create_radius_socket-Opened radius socket 14

[343] fnbamd_create_radius_socket-Opened radius socket 15

[1391] fnbamd_radius_auth_send-Compose RADIUS request

fnbamd_dbg_hex_pnt[48] EAP msg from client (6)-02 05 00 06 1A 04

RADIUS SRV: Received 152 bytes from 127.0.0.1:12111

[1211] send_radius_challenge_rsp-Timer of rad 'eap_proxy' is added

 01 08 00 98 84 68 f2 08 e8 96 c9 3e 17 ee 09 08 8f 53 7c 5e 20 0b 46 47 31 30 30 45 2d 30 31 18

 06 00 00 00 02 01 0a 74 65 73 74 75 73 65 72 4f 08 02 05 00 06 1a 04 08 06 0a 0f 01 3e 05 06 00

 00 00 01 3d 06 00 00 00 05 1f 0c 31 30 2e 31 35 2e 31 2e 36 32 2c 0a 30 62 63 61 38 38 37 36 4d

 0b 76 70 6e 2d 69 6b 65 76 32 1a 0c 00 00 30 44 03 06 72 6f 6f 74 1a 10 00 00 30 44 01 0a 76 70

 6e 67 72 6f 75 70 50 12 9a d0 11 17 87 a0 17 e8 93 17 a3 a1 f8 61 28 a3

EAP: EAP entering state RECEIVED

EAP: parseEapResp: rxResp=1 respId=5 respMethod=26 respVendor=0 respVendorMethod=0

EAP: EAP entering state INTEGRITY_CHECK

EAP: EAP entering state METHOD_RESPONSE

EAP-MSCHAPV2: Received Failure Response - authentication failed       <--- EAP-MSCHAPV2 authentication failed.

EAP: EAP entering state SELECT_ACTION

EAP: getDecision: method failed -> FAILURE

EAP: EAP entering state FAILURE

EAP: Building EAP-Failure (id=5)

CTRL-EVENT-EAP-FAILURE 00:00:00:00:00:00

RADIUS SRV: EAP data from the state machine - hexdump(len=4):

 04 05 00 04

RADIUS SRV: Reply to 127.0.0.1:12111

RADIUS SRV: Removing completed session 0x2 after timeout

[1356] fnbamd_auth_handle_radius_result-Timer of rad 'eap_proxy' is deleted

[1799] fnbamd_radius_auth_validate_pkt-RADIUS resp code 3

fnbamd_dbg_hex_pnt[48] EAP msg from server (4)-04 05 00 04

[1382] fnbamd_auth_handle_radius_result-->Result for radius svr 'eap_proxy' 127.0.0.1(1) is 1

[217] fnbamd_comm_send_result-Sending result 1 (nid 0) for req 197822582, len=3056

[789] destroy_auth_session-delete session 197822582

ike 0:VPN_IKEv2:3 EAP 197822582 result 1

ike 0:VPN_IKEv2: EAP failed for user "testuser"     <-- EAP authentication for IKEv2 failed.

ike 0:VPN_IKEv2:3: responder preparing EAP pass through message

ike 0:VPN_IKEv2: connection expiring due to EAP failure              <-- IKEv2 failed due to EAP. authentication failure

ike 0:VPN_IKEv2: deleting

ike 0:VPN_IKEv2: deleted

Note: 

LDAP-based user authentication only works with XAUTH and only supports IPsec IKEv1 by design. If it is required to use IKEv2, migrate to use RADIUS-based user authentication instead.

Related documents:

Technical Tip: How to configure IPsec VPN Tunnel using IKE v2
LDAP-based user authentication

LDAP-based user authentication