Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Dial-Up VPN with TOTPRadius Authentication – Does ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dial-Up VPN with TOTPRadius Authentication – Does It Work?
Hey everyone,
I recently attempted to set up Dial-Up VPN authentication using TOTPRadius in combination with an LDAP server and TOTP (Time-Based One-Time Password). TOTPRadius acts as a Proxy-RADIUS server and integrates LDAP authentication with TOTP for two-factor authentication.
The setup process was based on the information provided by Token2's guide, which primarily explains how to configure TOTPRadius for admin login but does not explicitly mention VPN authentication. The Test Authentication worked, but when in combination with VPN it doesn't.
The Problem:
When trying to authenticate a Dial-Up VPN client using FortiGate and TOTPRadius, the authentication fails with the following error message from the TOTPRadius Server shown in Wireshark:
Initial login not allowed; Empty password provided for user <blank-user>; Terminating process with Reject message
This suggests that the FortiGate did not transmit the user’s password when performing VPN RADIUS authentication.
Solved! Go to Solution.
Labels:
- Labels:
-
Authentication
-
FortiClient
-
FortiGate
-
IPsec
-
RADIUS
3434
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IKEv2 does not allow for PAP authentication by design...
I wish I had done my research before this post, but as the above says, IKEv2 does not allow for PAP authentication. Since TOTPRadius uses PAP as a Proxy-RADIUS to simply cut the password part and the TOTP part, for the authentication. Which means you either use IKEv1 (which has been deemed depreacted and unsafe since 2019 from the IETF https://datatracker.ietf.org/doc/rfc9395/ ) or just don't.
19 REPLIES 19
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi MG4
On your FGT > RADIUS server config, does "Test user credentials" work successfully?
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, it worked perfectly.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hm we do IPSec dialup with a FortiAuthenticator as radius server.
All we did was set up FAC as radius server and set up groups and users there.
Then deploy the radius server to the FortiGates and also deploy the neccessary radius groups.
Then create the ipsec dialup and set xauth to use the radius group.
TOTP i this case is completely handled by the Authenticator.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi MG4
Can you share your phase1 config?
Also try debug with the below (try use filter for ike):
diag debug app fnbamd -1
diag debug app ike -1
diag debug enable
AEK
AEK
Created on 02-20-2025 11:00 PM Edited on 02-20-2025 11:09 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi AEK,
Here is the phase1 config:
FG-100F (FC-LDAP-AUTH) # get
name : FC-LDAP-AUTH
type : dynamic
interface : ppp0
ip-version : 4
ike-version : 2
local-gw : 0.0.0.0
keylife : 86400
authmethod : psk
authmethod-remote :
peertype : any
monitor-min : 0
net-device : disable
exchange-interface-ip: disable
aggregate-member : disable
packet-redistribution: disable
mode-cfg : enable
ipv4-dns-server1 : 172.16.2.20
ipv4-dns-server2 : 0.0.0.0
ipv4-dns-server3 : 0.0.0.0
internal-domain-list:
ipv4-wins-server1 : 0.0.0.0
ipv4-wins-server2 : 0.0.0.0
ipv6-dns-server1 : ::
ipv6-dns-server2 : ::
ipv6-dns-server3 : ::
proposal : aes256-sha256 aes256-sha384
add-route : enable
localid :
localid-type : auto
negotiate-timeout : 30
fragmentation : enable
ip-fragmentation : post-encapsulation
dpd : on-demand
comments : VPN: FC-LDAP-AUTH
npu-offload : enable
dhgrp : 15
suite-b : disable
eap : enable
eap-identity : send-request
acct-verify : disable
ppk : disable
wizard-type : custom
reauth : disable
authusrgrp : VPN-Local-Group
idle-timeout : disable
ha-sync-esp-seqno : enable
fgsp-sync : disable
inbound-dscp-copy : disable
auto-discovery-sender: disable
auto-discovery-receiver: disable
auto-discovery-forwarder: disable
encapsulation : none
nattraversal : enable
fragmentation-mtu : 1200
childless-ike : disable
azure-ad-autoconnect: disable
client-resume : disable
rekey : enable
enforce-unique-id : disable
fec-egress : disable
fec-ingress : disable
network-overlay : disable
dev-id-notification : disable
link-cost : 0
kms :
exchange-fgt-device-id: disable
ems-sn-check : disable
qkd : disable
transport : udp
remote-gw-match : any
default-gw : 0.0.0.0
default-gw-priority : 0
assign-ip : enable
assign-ip-from : name
ipv4-netmask : 255.255.255.0
dns-mode : manual
ipv4-split-include : FC-LDAP-AUTH_split
split-include-service:
ipv4-name : FC-LDAP-AUTH_range
ipv6-prefix : 128
ipv6-split-include :
ipv6-name :
ip-delay-interval : 0
ipv4-split-exclude :
save-password : enable
client-auto-negotiate: disable
client-keep-alive : disable
psksecret : *
keepalive : 10
distance : 15
priority : 1
dpd-retrycount : 3
dpd-retryinterval : 20
And here is the log:
diagnose vpn ike log filter clear
diagnose vpn ike log filter rem-addr4 172.16.10.166
diag debug app fnbamd 255
diag debug app ike -1
diag debug enable
ike V=root:0: comes 172.16.10.166:500-><WAN-IP>:500,ifindex=23,vrf=0,len=601....
ike V=root:0: IKEv2 exchange=SA_INIT id=d264b77317af4890/0000000000000000 len=601
ike 0: in D264B77317AF489000000000000000002120220800000000000002592200005C0200002C010100040300000C0100000C800E01000300000802000005030000080300000C000000080400000F00000
02C020100040300000C0100000C800E01000300000802000006030000080300000D000000080400000F28000188000F0000E63DD5849D4A36212FA996D46310AA07CED1235591D17AED94C220836A64BF436C66
48C20D111776F4F9101C26BC457EC8C3A858BEAF4DF4D5C7302864DD6B1CF894FCC5343410372411DF9158724E4A71D36EE283F869BF2E2A28F21A59FC3B3110FAD29DF54FF468B58B76CB03CF2D9B016CE5449
8CC115933A82E000A3560CE4357E3604C6680CD9DB2A45B5C5A1F2C56B5DF61EA3359A47FE10A364263FBD27C63A5BEC9CDF2A426AF01A5ADF00783896DE8C81F4CACBBDE9D2715DD60A018EF5C393F0763726D
285796FAAD9C946B3AC9A49E55CFFD735C0531403B002A873ED5FAE12CF1F49A38F8074181948C2A7FC801E61FFA14FBE5AD71F9900242E9B26667124DBB2F4915BA61089BB87384E09E111AD9EFAE601A726C7
16916AEA5273E4A643BA75FC2BF9480B15AC38B73CDF3B18FADE29E9546CF725BC71943A4C368359064E29E3B217F31532433955AFA8F0934EA61F6EBBBB7EB2B9353AE28507824BE7850822027AADA6736E139
905CCCE69EBF4FEA06C57FF54BA85B0D2B0000149E4EA79B448C675830940C341E4570302B000014<FC-License>2B000014<VID Fortinet Endpoint Control>29000014C1DC435
0476B98A429B91781914CA43E000000090000F05000
ike V=root:0:d264b77317af4890/0000000000000000:338565: responder received SA_INIT msg
ike V=root:0:d264b77317af4890/0000000000000000:338565: VID forticlient connect license <FC-License>
ike V=root:0:d264b77317af4890/0000000000000000:338565: VID Fortinet Endpoint Control <VID Fortinet Endpoint Control>
ike V=root:0:d264b77317af4890/0000000000000000:338565: VID Forticlient EAP Extension C1DC4350476B98A429B91781914CA43E
ike V=root:0:d264b77317af4890/0000000000000000:338565: received notify type VPN_NETWORK_ID
ike V=root:0:d264b77317af4890/0000000000000000:338565: NETWORK ID : 0
ike V=root:0:d264b77317af4890/0000000000000000:338565: incoming proposal:
ike V=root:0:d264b77317af4890/0000000000000000:338565: proposal id = 1:
ike V=root:0:d264b77317af4890/0000000000000000:338565: protocol = IKEv2:
ike V=root:0:d264b77317af4890/0000000000000000:338565: encapsulation = IKEv2/none
ike V=root:0:d264b77317af4890/0000000000000000:338565: type=ENCR, val=AES_CBC (key_len = 256)
ike V=root:0:d264b77317af4890/0000000000000000:338565: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike V=root:0:d264b77317af4890/0000000000000000:338565: type=PRF, val=PRF_HMAC_SHA2_256
ike V=root:0:d264b77317af4890/0000000000000000:338565: type=DH_GROUP, val=MODP3072.
ike V=root:0:d264b77317af4890/0000000000000000:338565: proposal id = 2:
ike V=root:0:d264b77317af4890/0000000000000000:338565: protocol = IKEv2:
ike V=root:0:d264b77317af4890/0000000000000000:338565: encapsulation = IKEv2/none
ike V=root:0:d264b77317af4890/0000000000000000:338565: type=ENCR, val=AES_CBC (key_len = 256)
ike V=root:0:d264b77317af4890/0000000000000000:338565: type=INTEGR, val=AUTH_HMAC_SHA2_384_192
ike V=root:0:d264b77317af4890/0000000000000000:338565: type=PRF, val=PRF_HMAC_SHA2_384
ike V=root:0:d264b77317af4890/0000000000000000:338565: type=DH_GROUP, val=MODP3072.
ike V=root:0:d264b77317af4890/0000000000000000:338565: matched proposal id 1
ike V=root:0:d264b77317af4890/0000000000000000:338565: proposal id = 1:
ike V=root:0:d264b77317af4890/0000000000000000:338565: protocol = IKEv2:
ike V=root:0:d264b77317af4890/0000000000000000:338565: encapsulation = IKEv2/none
ike V=root:0:d264b77317af4890/0000000000000000:338565: type=ENCR, val=AES_CBC (key_len = 256)
ike V=root:0:d264b77317af4890/0000000000000000:338565: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike V=root:0:d264b77317af4890/0000000000000000:338565: type=PRF, val=PRF_HMAC_SHA2_256
ike V=root:0:d264b77317af4890/0000000000000000:338565: type=DH_GROUP, val=MODP3072.
ike V=root:0:d264b77317af4890/0000000000000000:338565: lifetime=86400
ike V=root:0:d264b77317af4890/0000000000000000:338565: SA proposal chosen, matched gateway VPN2-PSK
ike V=root:0:01K06-PSK:01K06-PSK: created connection: 0xafc7690 23 <WAN-IP>->172.16.10.166:500.
ike V=root:0:01K06-PSK:338565: FEC vendor ID received FEC but IP not set
ike 0:01K06-PSK:338565: FCT EAP 2FA extension vendor ID received
ike V=root:0:01K06-PSK:338565: responder preparing SA_INIT msg
ike V=root:0:01K06-PSK:338565: generate DH public value request queued
ike V=root:0:01K06-PSK:338565: responder preparing SA_INIT msg
ike V=root:0:01K06-PSK:338565: compute DH shared secret request queued
ike V=root:0:01K06-PSK:338565: responder preparing SA_INIT msg
ike V=root:0:01K06-PSK:338565: create NAT-D hash local <WAN-IP>/500 remote 172.16.10.166/500
ike 0:01K06-PSK:338565: out D264B77317AF4890717371AE441C596B212022200000000000000220220000300000002C010100040300000C0100000C800E01000300000802000005030000080300000C000
000080400000F28000188000F000059401F357E510BBE38BC9500967BADD7482027D3025C07261A7EC649B4F3CD8D120697A844BEE1532AF06FE28B3CF220820F552BCB4D60188DF3C08CC5BB7B67F579995EBF
9E46197D738997980417B587CF9A8212724F9BE02354B6D3DEE153E2C5CD7913794F582427F8282485D72E268270AE145593241CED12C491F01953D1842C09D6614BA302A6E783E700B44260068F69C54033F22
5FFC7E2A94D7C35313D76E3C5366639CE6E701C5F87BC01DB755AA4EA53B3D4BC9258EC5C69F9133876772762DEBB05CF9DF012A97ABEB363B38307922D1B151578AFC62B25A80F979603229AE8504AF2E4FD83
88EE9E70C080580737E0CEC19AC510DD12D03C53BC7ECE35B47E39E6F2B4096846396437D89D2FD0C30C086D9CE4AE158C8B8322B1B1B099182D8FD67457E6C9AF9404F76E82C5913869A0F80AF665DECA66F3D
E4A506D75984FF82264D5CF5D9FA2A86222800B7AC8A01561CC60B399FB843DFC05EE3EF5D3DA7BB1A47C37886B95A4EB5D084A57D8FF0404349CE8979848C2E7290000146336DE9BDE5990DF46FC42B3315C96
302900001C000040044AF6B7403C3968D587A29954C3EF0C83634F49E20000001C00004005D049DBA949FAA3E396829AEA2B526859296CE051
ike V=root:0:01K06-PSK:338565: sent IKE msg (SA_INIT_RESPONSE): <WAN-IP>:500->172.16.10.166:500, len=544, vrf=0, id=d264b77317af4890/717371ae441c596b, oif=23
ike 0:01K06-PSK:338565: IKE SA d264b77317af4890/717371ae441c596b SK_ei 32:89B134FD50499BA0A49EDFC835E83F727A782C1EE0A956910B135F53C25FC89E
ike 0:01K06-PSK:338565: IKE SA d264b77317af4890/717371ae441c596b SK_er 32:B182EA174B1AB1FCE6BE791897C0C0E68FC0DC805EAB91CEB2C620F15217D5BC
ike 0:01K06-PSK:338565: IKE SA d264b77317af4890/717371ae441c596b SK_ai 32:78334DD9DB293531B64A8417160F5062DB7AD7D71BA8A3500CB8328F134EB716
ike 0:01K06-PSK:338565: IKE SA d264b77317af4890/717371ae441c596b SK_ar 32:FEDF3262669931DA1EF9F3F3B9C269A85CD788951730C629A500488A0181DE31
ike V=root:0: comes 172.16.10.166:500-><WAN-IP>:500,ifindex=23,vrf=0,len=672....
ike V=root:0: IKEv2 exchange=AUTH id=d264b77317af4890/717371ae441c596b:00000001 len=672
ike 0: in D264B77317AF4890717371AE441C596B2E20230800000001000002A023000284F68B9619439A3FE5871C488F60B2433D1AEA9E2E7C0FD00DB4D7C77D23E02F4F7CDC2F93D0C71608B6F1FF08C593E
80DA46331F5EB10C6D5B6BF5F09B56AB8EFD32655AFFF202C0F80AAB28CEE791093347ABF0C95FF30ADB48F22E4F1F7D5CB4DA9E740E4EF99E2F4C0FB230FFC66AC9E1EBDDA89D52B388ACB8420A961EE6840FB
F9EC7E2C9E11922B321B6CD5243DADEA8AA2BCE6C63CCDA4D65A601E7D249FA84059C8D1A38C1CF8B8D10C96923BF2C8EFBEFFFBE3E9367058F8F8BF7B2D987043183B145F99F39456D0D23C11E43131D6BE60F
05C7F3CB21F3CB2E8ABC3C8009CC7790EBD0CECFCBE3BD6B76FC3DA76FC18E015237232B526CE65ED1E126C0A05BDFD9E846990C67744A3ED8D7907CAF5D5E6CB5D4EC669929380DB0B9A170C22BDF9560D8D60
1A64A867053E0B5A61C466E022B114CB48C4DB1173764C984436D9FEF0DDDCFEEE4662BE427BF84FA714DAB2CC88DE88159B9BE52FF77A35ED21D776DEF455935306C3DAC319C237DF91706E70934169023C760
3DC344BD3B2F13535DF2E4BF7B92F965AC4FE5742B275AE9D7483DECDEFBBC2731ED9B3EA9D84E7C07CFAA5FDCD7E82FF020BDC708648E4F16D630BF10E16DCCB0562BC81BCA4FC3D162CDADB65212007C5C9F8
5F989FFAD38297F13859B3312E6AC16BFB1348AC56B61DDC79ED236C51DE02C7F4A2C10CAC5A07C8026EDC3A861CC5720B8A695BB7EDFAEA3DBC50EC5E25DD591BD453C042723BCFC5132A25D4AF522CE563134
6643276AC7ED716B04496F293F68B09999498967E6070D41187B6CA3C012A62516B77B02F2A6D2022F8142BE19B40D9CDF3F95AE0DCD090EA8437907490BE559C33E1E250BF5D94AF7A518A1085DFA89FAF5574
402869218F9CC049B4
ike 0:01K06-PSK:338565: dec D264B77317AF4890717371AE441C596B2E2023080000000100000276230000042900000C01000000AC100AA629000008000040002F0001620000F1005645523D310A4643545
645523D372E342E322E313733370A5549443D42353437333746454532374234303743384141313045384530353141393131330A49503D3139322E3136382E3234352E310A4D41433D30302D32622D36372D3530
2D32632D30633B63302D62382D38332D30632D36352D62313B63302D62382D38332D30632D36352D62323B63322D62382D38332D30632D36352D62313B39302D62342D38632D35372D35362D35393B0A484F535
43D4E422D3032310A555345523D737570706F727432310A4F535645523D4D6963726F736F66742057696E646F77732031312050726F66657373696F6E616C2045646974696F6E2C2036342D6269742028627569
6C64203236313030290A5245475F5354415455533D300A454D53534E3D464354454D53383832343030323230360A454D5349443D303030303030303030303030303030303030303030303030303030303030303
00A002100005C01000000000700104643543830303137363539373235393000010000000200000003000000040000000D00000019000000080000000F0000000A0000000B000070010000540A0000540B000070
00000070060000001900002C0000540200002801030403DC66EBF40300000C0100000C800E0100030000080300000C00000008050000000000002802030403DC66EBF40300000C0100000C800E0100030000080
300000D00000008050000002D00001801000000070000100000FFFF00000000FFFFFFFF0000001801000000070000100000FFFF00000000FFFFFFFF
ike V=root:0:01K06-PSK:338565: responder received AUTH msg
ike V=root:0:01K06-PSK:338565: processing notify type INITIAL_CONTACT
ike V=root:0:01K06-PSK:338565: processing notify type FORTICLIENT_CONNECT
ike V=root:0:01K06-PSK:338565: received FCT data len = 346, data = 'VER=1
FCTVER=7.4.2.1737
UID=<UID>
IP=192.168.245.1
MAC=<MAC>
HOST=NB-021
USER=MG4
OSVER=Microsoft Windows 11 Professional Edition, 64-bit (build 26100)
REG_STATUS=0
EMSSN=<EMS-SN>
EMSID=00000000000000000000000000000000
'
ike V=root:0:01K06-PSK:338565: received FCT-UID :<FCT-UID>
ike V=root:0:01K06-PSK:338565: received EMS SN : <EMS-SN>
ike V=root:0:01K06-PSK:338565: received EMS tenant ID : 00000000000000000000000000000000
ike V=root:0:01K06-PSK:338565: peer identifier IPV4_ADDR 172.16.10.166
ike V=root:0:01K06-PSK:338565: re-validate gw ID
ike V=root:0:01K06-PSK: change phase1 profile to FC-LDAP-AUTH
ike V=root:0:FC-LDAP-AUTH:338565: gw validation OK
ike V=root:0:FC-LDAP-AUTH:338565: responder preparing EAP identity request
ike 0:FC-LDAP-AUTH:338565: enc 2700000C01000000D43CE97130000028020000003AF99A176AE7DA893120C04EC75BAF7328E450866CE3CEB5048AE560A45B553300000009019D000501020102
ike 0:FC-LDAP-AUTH:338565: out D264B77317AF4890717371AE441C596B2E2023200000000100000080240000649F2CB5D1EFA4FA1A118F897F0B4AFE517DB24607642C3924F756D3AA4325AEE2953BDE86
347023A104B2DEDBD30FF4AD3D8E150985F75D0BA50D6022561C997BBD2006716F9FC8493F4EA85E5F480A06D10C1F604A8BFFCE98B550D630E35EE5
ike V=root:0:FC-LDAP-AUTH:338565: sent IKE msg (AUTH_RESPONSE): <WAN-IP>:500->172.16.10.166:500, len=128, vrf=0, id=d264b77317af4890/717371ae441c596b:00000001, o
if=23
ike V=root:0: comes 172.16.10.166:500-><WAN-IP>:500,ifindex=23,vrf=0,len=96....
ike V=root:0: IKEv2 exchange=AUTH id=d264b77317af4890/717371ae441c596b:00000002 len=96
ike 0: in D264B77317AF4890717371AE441C596B2E202308000000020000006030000044C5C6EDC787485C36181630447BFB640CCA1E81B827BEFC9AFCDF1EE757CF94C25FFFD2F5E172A195B178CD38BECBF
8CED9A1B831417C1DFBA05AE43203BA9BE3
ike 0:FC-LDAP-AUTH:338565: dec D264B77317AF4890717371AE441C596B2E20230800000002000000323000000400000012029D000E01737570706F72743231
ike V=root:0:FC-LDAP-AUTH:338565: responder received EAP msg
ike V=root:0:FC-LDAP-AUTH:338565: send EAP message to FNBAM
ike V=root:0:FC-LDAP-AUTH:338565: initiating EAP authentication
ike V=root:0:FC-LDAP-AUTH: EAP user "MG4"
ike V=root:0:FC-LDAP-AUTH: EAP 1000760094741 pending
[1757] handle_req-Rcvd auth req 1000760094741 for MG4 in VPN-Local-Group opt=00000000 prot=7 svc=9
[333] __compose_group_list_from_req-Group 'VPN-Local-Group', type 1
[508] create_auth_session-Session created for req id 1000760094741
[590] fnbamd_cfg_get_tac_plus_list-
[545] __fnbamd_cfg_get_tac_plus_list_by_group-
[557] __fnbamd_cfg_get_tac_plus_list_by_group-Group 'VPN-Local-Group'
[606] fnbamd_cfg_get_tac_plus_list-Total tac+ servers to try: 0
[840] fnbamd_cfg_get_ldap_list-
[756] __fnbamd_cfg_get_ldap_list_by_group-
[856] fnbamd_cfg_get_ldap_list-Total LDAP servers to try: 0
[416] ldap_start-Didn't find ldap servers
[316] radius_start-eap_local=0
[896] fnbamd_cfg_get_radius_list-
[844] __fnbamd_cfg_get_radius_list_by_group-
[858] __fnbamd_cfg_get_radius_list_by_group-Group 'VPN-Local-Group'
[376] verify_local_user_match_and_update-Found a matching user in CMDB 'MG4'
[456] fnbamd_rad_get-vfid=0, name='TOTPRadius'
[805] __rad_auth_ctx_insert-Loaded RADIUS server 'TOTPRadius'
[877] __fnbamd_cfg_get_radius_list_by_group-Loaded RADIUS server 'TOTPRadius' for user 'MG4' in usergroup 'VPN-Local-Group' (14)
[918] fnbamd_cfg_get_radius_list-Total rad servers to try: 1
[936] fnbamd_rad_get_auth_server-
[1172] fnbamd_rad_auth_ctx_init-User ha_relay? 0.
[295] fnbamd_radius_get_next_auth_prot-Next auth prot EAP
[1107] __auth_ctx_svr_push-Added addr 172.16.10.231:1812 from rad 'TOTPRadius'
[930] __fnbamd_rad_get_next_addr-Next available address of rad 'TOTPRadius': 172.16.10.231:1812.
[1125] __auth_ctx_start-Connection starts TOTPRadius:172.16.10.231, addr 172.16.10.231:1812 proto: UDP
[280] __rad_udp_open-Opened radius socket 10, sa_family 2
[945] __rad_conn_start-Socket 10 is created for rad 'TOTPRadius'.
[807] __rad_add_job_timer-
[439] fnbamd_cfg_get_pop3_list-
[417] __fnbamd_cfg_get_pop3_list_by_group-
[422] __fnbamd_cfg_get_pop3_list_by_group-Group 'VPN-Local-Group'
[449] fnbamd_cfg_get_pop3_list-Total pop3 servers to try: 0
[434] start_remote_auth-Total 1 server(s) to try
[1900] handle_req-r=4
[828] __rad_rxtx-fd 10, state 1(Auth)
[830] __rad_rxtx-Stop rad conn timer.
[837] __rad_rxtx-
[605] fnbamd_rad_make_access_request-
[328] __create_access_request-Compose RADIUS request
fnbamd_dbg_hex_pnt[49] EAP msg from client (14)-02 9D 00 0E 01 73 75 70 70 6F 72 74 32 31
[588] __create_access_request-Created RADIUS Access-Request. Len: 141.
[1171] fnbamd_socket_update_interface-vfid is 0, intf mode is 0, intf name is , server address is 172.16.10.231:1812, source address is null, protocol number is 17, oi
f id is 0
[353] __rad_udp_send-oif=0, intf_sel.mode=0, intf_sel.name=
[868] __rad_rxtx-Sent radius req to server 'TOTPRadius': fd=10, IP=172.16.10.231(172.16.10.231:1812) code=1 id=94 len=141
[877] __rad_rxtx-Start rad conn timer.
[828] __rad_rxtx-fd 10, state 1(Auth)
[830] __rad_rxtx-Stop rad conn timer.
[880] __rad_rxtx-
[431] __rad_udp_recv-Recved 80 bytes. Buf sz 8192
[1125] __rad_chk_resp_authenticator-The Message Authenticator validation is mandatory now
[1148] __rad_chk_resp_authenticator-ret=0
[1216] fnbamd_rad_validate_pkt-RADIUS resp code 11
[912] __rad_rxtx-
[1286] fnbamd_rad_process-Result from radius svr 'TOTPRadius' is 2, req 1000760094741
fnbamd_dbg_hex_pnt[49] EAP msg from server (22)-01 9E 00 16 04 10 39 93 7F 9E 4F 73 7A EB 7E CA 8C E8 B2 9C FE 07
[1485] fnbamd_rad_process-Challenged: 1, FTK_Challenge: 0, CHG_PWD: 0, Invaid_Digest: 0, State_Len: 16
[239] fnbamd_comm_send_result-Sending result 2 (nid 0) for req 1000760094741, len=6710
ike V=root:0:FC-LDAP-AUTH:338565 EAP 1000760094741 result FNBAM_CHALLENGED
ike V=root:0:FC-LDAP-AUTH: EAP challenged for user "MG4"
ike V=root:0:FC-LDAP-AUTH:338565: responder preparing EAP pass through message
ike 0:FC-LDAP-AUTH:338565: enc 0000001A019E0016041039937F9E4F737AEB7ECA8CE8B29CFE07050403020105
ike 0:FC-LDAP-AUTH:338565: out D264B77317AF4890717371AE441C596B2E202320000000020000006030000044D36D72CC7AB48368B8A0CE4BA15049986A4AB2EB290315524CE4CFCD745E6EF4F78167C2
0EF12AA5A3C66544ECDF1B544AFC9B5539EADA451207E08A17336944
ike V=root:0:FC-LDAP-AUTH:338565: sent IKE msg (AUTH_RESPONSE): <WAN-IP>:500->172.16.10.166:500, len=96, vrf=0, id=d264b77317af4890/717371ae441c596b:00000002, oi
f=23
[1251] fnbamd_rad_pause-Pausing TOTPRadius:172.16.10.231.
[1255] fnbamd_rad_pause-Stop rad conn timer.
[784] __rad_del_job_timer-
[1259] freeze_auth_session-
ike V=root:0: comes 172.16.10.166:500-><WAN-IP>:500,ifindex=23,vrf=0,len=80....
ike V=root:0: IKEv2 exchange=AUTH id=d264b77317af4890/717371ae441c596b:00000003 len=80
ike 0: in D264B77317AF4890717371AE441C596B2E202308000000030000005030000034CE1B910E2A57C3CBF5E5C45049EF84FD6CB18D6D82E19C0550786F7734C437A4AB468DEBB456B6322EFB59A464948
00A
ike 0:FC-LDAP-AUTH:338565: dec D264B77317AF4890717371AE441C596B2E202308000000030000002B300000040000000B029E0007031A06
ike V=root:0:FC-LDAP-AUTH:338565: responder received EAP msg
ike V=root:0:FC-LDAP-AUTH:338565: send EAP message to FNBAM
ike V=root:0:FC-LDAP-AUTH: EAP 1000760094741 pending
[2336] handle_req-Rcvd chal rsp for req 1000760094741
[1276] unfreeze_auth_session-
[1056] fnbamd_auth_send_chal_rsp-svr_type=2, idx=0
[1865] fnbamd_ldaps_destroy-
[1041] fnbamd_tacs_destroy-
[1330] fnbamd_rads_resume-
[1292] fnbamd_rad_resume-TOTPRadius:172.16.10.231, addr 172.16.10.231
[1315] fnbamd_rad_resume-state 2.
[807] __rad_add_job_timer-
[828] __rad_rxtx-fd 10, state 2(Challenged)
[830] __rad_rxtx-Stop rad conn timer.
[837] __rad_rxtx-
[677] fnbamd_rad_make_chal_request-
[328] __create_access_request-Compose RADIUS request
fnbamd_dbg_hex_pnt[49] EAP msg from client (7)-02 9E 00 07 03 1A 06
[588] __create_access_request-Created RADIUS Access-Request. Len: 152.
[1171] fnbamd_socket_update_interface-vfid is 0, intf mode is 0, intf name is , server address is 172.16.10.231:1812, source address is null, protocol number is 17, oi
f id is 0
[353] __rad_udp_send-oif=0, intf_sel.mode=0, intf_sel.name=
[868] __rad_rxtx-Sent radius req to server 'TOTPRadius': fd=10, IP=172.16.10.231(172.16.10.231:1812) code=1 id=95 len=152
[877] __rad_rxtx-Start rad conn timer.
[828] __rad_rxtx-fd 10, state 2(Challenged)
[830] __rad_rxtx-Stop rad conn timer.
[880] __rad_rxtx-
[431] __rad_udp_recv-Recved 44 bytes. Buf sz 8192
[1125] __rad_chk_resp_authenticator-The Message Authenticator validation is mandatory now
[1148] __rad_chk_resp_authenticator-ret=0
[1216] fnbamd_rad_validate_pkt-RADIUS resp code 3
[1028] __rad_error-Ret 1, st = 2.
[295] fnbamd_radius_get_next_auth_prot-Next auth prot ??
[1077] __rad_error-
[306] __rad_udp_close-closed.
[964] __rad_conn_stop-Stop rad conn timer.
[1286] fnbamd_rad_process-Result from radius svr 'TOTPRadius' is 1, req 1000760094741
fnbamd_dbg_hex_pnt[49] EAP msg from server (4)-04 9E 00 04
[1485] fnbamd_rad_process-Challenged: 0, FTK_Challenge: 0, CHG_PWD: 0, Invaid_Digest: 0, State_Len: 0
[887] update_auth_token_session-mfa_mandatory is off, only success results may require 2fa
[239] fnbamd_comm_send_result-Sending result 1 (nid 0) for req 1000760094741, len=6692
ike V=root:0:FC-LDAP-AUTH:338565 EAP 1000760094741 result FNBAM_DENIED
ike V=root:0:FC-LDAP-AUTH: EAP failed for user "MG4"
[1347] fnbamd_rads_destroy-
ike V=root:0:FC-LDAP-AUTH:338565: responder preparing EAP pass through message
[516] fnbamd_rad_auth_ctx_free-Freeing 'TOTPRadius' ctx
ike 0:FC-LDAP-AUTH:338565: enc 00000008049E00040706050403020107
[1219] fnbamd_rad_auth_ctx_uninit-
ike 0:FC-LDAP-AUTH:338565: out D264B77317AF4890717371AE441C596B2E20232000000003000000503000003456EBF8D8B71B7ED3580748A3C38FEE001E30825E62ED0D40BC5385F69957C0709105D7D8
7D81AC78FC4E98C53DACF324
[964] __rad_conn_stop-Stop rad conn timer.
ike V=root:0:FC-LDAP-AUTH:338565: sent IKE msg (AUTH_RESPONSE): <WAN-IP>:500->172.16.10.166:500, len=80, vrf=0, id=d264b77317af4890/717371ae441c596b:00000003, oi
f=23
ike V=root:0:FC-LDAP-AUTH: connection expiring due to EAP failure
[784] __rad_del_job_timer-
[364] fnbamd_rad_free-Freeing TOTPRadius, ref:2
ike V=root:0:FC-LDAP-AUTH: going to be deleted
[41] __rad_server_free-Freeing 172.16.10.231, ref:2
[519] fnbamd_rad_auth_ctx_free-
[1350] fnbamd_rads_destroy-
[1865] fnbamd_ldaps_destroy-
[1041] fnbamd_tacs_destroy-
[902] fnbamd_pop3s_destroy-
[1070] fnbamd_ext_idps_destroy-
[2366] handle_req-Rcvd abort req for 1000760094741
[2381] handle_req-Can't abort, no active req 1000760094741
ike :shrank heap by 335872 bytes
diagnose debug disable
FG-100F (root) # diag debug app fnbamd 0
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi MG4
- On your FGT > RADIUS server config, is the authentication method MS-CHAP-v2?
- Can you just test the VPN by disable token for the user on your RADIUS server and try again?
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That may not work. Not mentioned in the fortinet guide, but in a different one https://www.token2.com/site/page/hardware-tokens-for-pptp-vpn-on-windows-server-using-totpradius seems like it only works in PAP
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It currently uses the Authentication method Default on the FGT. I will try with the otehr methods.
Created on 02-21-2025 04:37 AM Edited on 02-21-2025 04:37 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Only PAP or "Default works as authentication Method. But the VPN still doesn't work.
Labels
-
FortiGate
10,491 -
FortiClient
2,128 -
FortiManager
883 -
5.2
687 -
FortiAnalyzer
672 -
5.4
638 -
FortiSwitch
575 -
FortiAP
557 -
FortiClient EMS
551 -
6.0
416 -
IPsec
404 -
FortiMail
371 -
SSL-VPN
370 -
5.6
362 -
FortiNAC
277 -
6.2
251 -
FortiWeb
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
190 -
FortiAuthenticator
168 -
FortiGuard
159 -
5.0
152 -
Firewall policy
141 -
6.4
128 -
FortiGate-VM
124 -
FortiCloud Products
116 -
FortiGateCloud
112 -
FortiSIEM
111 -
FortiToken
110 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
83 -
FortiProxy
77 -
ZTNA
75 -
Routing
72 -
DNS
71 -
SAML
70 -
VLAN
70 -
Fortivoice
69 -
FortiEDR
68 -
FortiADC
67 -
BGP
66 -
Authentication
64 -
Certificate
61 -
RADIUS
58 -
LDAP
57 -
SSO
54 -
FortiSandbox
53 -
FortiLink
53 -
FortiExtender
51 -
NAT
51 -
4.0MR3
49 -
VDOM
44 -
Application control
44 -
FortiDNS
43 -
Interface
42 -
Logging
40 -
Virtual IP
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
35 -
SSL SSH inspection
35 -
Web profile
35 -
FortiConnect
34 -
Automation
32 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
SNMP
25 -
SSID
25 -
Static route
25 -
Traffic shaping
24 -
API
24 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
System settings
22 -
OSPF
20 -
WAN optimization
20 -
FortiMonitor
19 -
Security profile
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiSOAR
17 -
Web rating
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
FortiAP profile
16 -
Explicit proxy
15 -
Admin
15 -
Proxy policy
15 -
FortiCASB
14 -
IPS signature
14 -
Intrusion prevention
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
NAC policy
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
FortiRecorder
11 -
Users
11 -
Port policy
11 -
FortiDeceptor
10 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Trunk
10 -
Traffic shaping profile
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
Authentication rule and scheme
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
lacework
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2534 | |
| 1351 | |
| 795 | |
| 641 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.