If setting CAG RADIUS settings to use CHAP or MS-CHAP1 and 2, fotiauthenticator logs the error: Remote LDAP user authentication(chap) with SMS token failed: remote server supports pap onlyThis is correct behaviour. LDAP Authentication involves sending the password to the server and waiting for a success/fail response. If the authenticating server (CAG in this case) sends CHAP of any form, this is only a hash of the password , not the password itself. Sending this to the LDAP will fail as it will not match. For this reason, the plaintext password (PAP) is required. However, as you are using AD, you have another option. - In your Remote LDAP Config under Authentication > Remote Auth Servers > LDAP configure your AD settings under Windows Active Directory Domain Authentication. - In Authentication > RADIUS Service > Clients, configure GAC to use " All Windows AD users" . - On CAG, set it to send MSCHAP2. By doing this you are telling FortiAuthenticator to skip LDAP authentication and go to AD to compare password hashes.
Dr. Carl Windsor Field Chief Technology Officer Fortinet
Dr. Carl Windsor Field Chief Technology Officer Fortinet
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.