Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rwithers
New Contributor

IPSEC VPN XAUTH Issues

I am running into an issue with XAUTH authentication for IPSEC VPN users to a remote LDAP server. This is on Firmware 7.0.2.  Users can authenticate locally without issue. This is on MAC(s) and is working fine on a 6.0.4 implementation. I am trying to get to 7.0.2 to fix an VPN IP address allocation issue that 7.0.2 has newer features for

 

I have tested the LDAP server through the test features.

The connection test works

The user test works

 

When a user goes to login to the VPN the get the username/password window.

When the username and password is entered it is not accepted and they keep getting a prompt for this window

 

When I do a

 

 

diag debug application ike -1

 

 

I get

 

 

ke 0:RMTUSERS_0:610: peer has not completed XAUTH exchange
ike 0: comes x.x.x.x:1943->1x.x.x.x:4500,ifindex=25,vrf=0....
ike 0: IKEv1 exchange=Mode config id=06fc89be880d43e9/849718f9d6c152da:3884d1e6 len=108 vrf=0
ike 0: in 06FC89BE880D43E9849718F9D6C152DA081006013884D1E60000006C8B5ADF086D7C955D1D0D0A6A16D754F73F122FAE00A29EFF30BD9D1E8C4730C2E123E78E3242BD36D22AA038F8FC7101FFBD9C9DDB5D21487EE475BD1319C83F3F0AB404C38249CE0E93F18ED1C69392
ike 0:RMTUSERS_0:610: dec 06FC89BE880D43E9849718F9D6C152DA081006013884D1E60000006C0E000024A86D2C87B113747DB0493986C639FD538DC64BE43A64438E14C542F3BEB95044000000230200E500408900087277697468657273408A000B6361743133616262253233000000000000000009
ike 0:RMTUSERS_0:610: received XAUTH_USER_NAME 'myusername' length 8
ike 0:RMTUSERS_0:610: received XAUTH_USER_PASSWORD length 11
ike 0:RMTUSERS_0: XAUTH user "myuserid"
ike 0:RMTUSERS: auth group myauthgroup
ike 0:RMTUSERS_0: XAUTH 1250242846 pending
ike 0:RMTUSERS_0:610: XAUTH 1250242846 result 1
ike 0:RMTUSERS_0: XAUTH failed for user "myuserid", retry(2).
ike 0:RMTUSERS_0:610: sending XAUTH request

 

 

and it does this each time the password is entered

 

I am sure the password is correct as I mentioned above it tests fine in the LDAP test setup.

 

From a packet capture I can see the traffic being sent and received from the LDAP server.

 

Any suggestions would be greatly appreciated as this is got me stuck.

 

Thanks

1 REPLY 1
pkavin
Staff
Staff

Hello rwithers,

 

It seems that IKE is just getting a deny message from the fnbamd process which will handle the XAuth authentication and that is why the connection is getting denied:

 

ike 0:RMTUSERS_0:610: XAUTH 1250242846 result 1

 

Can you please run the fnbamd debugs and paste the output of the debugs here? (you might need to sanitize the output a bit due to public forum)

 

diag debug application fnbamd -1

diag debug console timestamp enable

diag debug application ike -1

diag debug enable

 

 

 

 

 

Kavin
Top Kudoed Authors