LDAP and user group configuration:

After configuration of the LDAP server, use the IPsec Wizard for the VPN Creation:

After creating the IPsec VPN using the wizard, it will make the following:

• Phase 1 VPN tunnel settings (The LDAP user group is under the XAUTH settings).
• Phase 2 VPN tunnel settings.
• Firewall Policy allowing traffic from the IPsec VPN tunnel to the local network.

Testing using the FortiClient machine:

If the user group configuration is done under the phase1 settings, the user will not be listed in the Firewall Users or 'diagnose firewall auth list'. Instead, the user authenticated can be seen with the Phase-1 status of the VPN tunnel.

diagnose vpn ike gate list

The following command can also be used to filter the output:

diagnose vpn ike gate list | grep "name:\|xauth-user"
name: Remote Access_0
xauth-user: vpnuser1

The user will only be listed in the Firewall Users or 'diagnose firewall auth list' when the user group is configured on the Firewall Policy. This is done by setting 'Inherit from policy' on the IPSEC VPN phase1 settings.

This is the recommended configuration when there are multiple user groups involved. More information about the configuration can be seen in this KB article: Technical Tip: Using group based firewall policy for Dial-Up VPN to restrict network access.

The user group must be either configured inside the IPsec Phase 1 settings or in the firewall policy. If the group is configured in both IPsec Phase 1 and firewall policy, the traffic stops flowing through the IPsec tunnel.

On the Dashboard, it is possible to view the user by adding an 'XAUTH User' column on the IPSEC monitor dashboard.

 
XAUTH happens after the IKEv1 Aggressive Mode message exchange:

Run the following commands:

diagnose debug reset

diagnose debug application ike -1

diagnose debug application fnbamd -1

diagnose debug enable

ike 0:Remote Access:1: received p1 notify type INITIAL-CONTACT
ike 0:Remote Access:1: PSK authentication succeeded
ike 0:Remote Access:1: authentication OK
ike 0:Remote Access:1: NAT not detected
ike 0:Remote Access: mode-cfg allocate 172.16.20.1/0.0.0.0
ike 0:Remote Access: IPv6 pool is not configured
ike 0:Remote Access: adding new dynamic tunnel for 10.47.3.222:500
ike 0:Remote Access_0: tunnel created tun_id 172.16.20.1/::10.0.0.3 remote_location 0.0.0.0
ike 0:Remote Access_0: added new dynamic tunnel for 10.47.3.222:500
ike 0:Remote Access_0:1: established IKE SA d6d1522644fd77e6/4abb8e05cc9778a3
ike 0:Remote Access_0:1: check peer route: if_addr4_rcvd=0, if_addr6_rcvd=0, mode_cfg=0
ike 0:Remote Access_0:1: processing INITIAL-CONTACT
ike 0:Remote Access_0: flushing
ike 0:Remote Access_0: flushed
ike 0:Remote Access_0:1: processed INITIAL-CONTACT
ike 0:Remote Access_0:1: initiating XAUTH.
ike 0:Remote Access_0:1: sending XAUTH request

ike 0:Remote Access_0:1: received XAUTH_USER_NAME 'vpnuser1' length 8
ike 0:Remote Access_0:1: received XAUTH_USER_PASSWORD length 12
ike 0:Remote Access_0: XAUTH user "vpnuser1"
ike 0:Remote Access: auth group LDAP-GRP
ike 0:Remote Access_0: XAUTH 772057113 pending
[1909] handle_req-Rcvd auth req 772057113 for vpnuser1 in LDAP-GRP opt=00000000 prot=5

The FortiGate will search the Distinguished Name of the LDAP Server for the Common Name of 'cn=vpnuser1', since 'cn' is the configured Common Name Identifier under the LDAP Server settings.

[750] fnbamd_ldap_build_dn_search_req-base:'DC=40LABV2,DC=COM' filter:cn=vpnuser1 

<omitted output>

2831] fnbamd_ldap_result-Result for ldap svr 10.149.0.2(LDAP-SVR) is SUCCESS
[401] ldap_copy_grp_list-copied CN=VPN-Users,OU=Manila TAC,OU=Fortinet,DC=40labv2,DC=com
[401] ldap_copy_grp_list-copied CN=Domain Users,CN=Users,DC=40labv2,DC=com
[1623] fnbam_user_auth_group_match-req id: 772057113, server: LDAP-SVR, local auth: 0, dn match: 1
[1592] __group_match-Group 'LDAP-GRP' passed group matching
[1595] __group_match-Add matched group 'LDAP-GRP'(2)
[2843] fnbamd_ldap_result-Passed group matching
[209] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 772057113, len=2641
ike 0:Remote Access_0:1: XAUTH 772057113 result FNBAM_SUCCESS
ike 0:Remote Access_0: XAUTH succeeded for user "vpnuser1" group "LDAP-GRP" 2FA=no

It is possible to change the Common Name Identifier, depending on the configuration preference and requirement.

Some examples with actual user format:

• cn = vpnuser1.
• sAMAccountName = vpnuser1.
• UserPrincipalName = vpnuser1@40labv2.com

Note:

LDAP-based user authentication is designed to work with XAUTH and IPsec IKEv1. 

Due to the removal of IKEv1 Support from FortiClient version 7.4.4, EAP-TTLS can be used with IKEv2 authentication for LDAP auth: EAP-TTLS support for IPsec VPN v7.4.3.

In earlier versions of FortiClient, EAP-MSCHAPv2 was the method used for username + password authentication and did not work with LDAP. EAP-TTLS now works with LDAP authentication.

Related articles:

Technical Tip: How to configure IPsec remote access with full tunnelling

Technical Tip: Differences between Aggressive and Main mode in IPSec VPN configurations

Troubleshooting Tip: IPsec VPN Phase 1 Process - Aggressive Mode

Technical Tip: Username format for LDAP authentication

Technical Tip: IKEv2 tunnel fails when LDAP based usergroup is used for EAP