Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
funkylicious
SuperUser
SuperUser

Created on ‎11-13-2025 05:23 AM Edited on ‎11-13-2025 05:43 AM

IPsec DialUP Framed-IP-Address with IKEv1 and Windows NPS

Hi,


In case anyone needs to assign static IP addresses to users connecting a IPsec DialUP with IKEv1 and RADIUS/NPS Windows Server, here's my working configuration.

 

Environment

FGT 7.4.8

Windows Server 2016 Standard with NPS/AD configured

FortiClient 7.4.3 ( EMS managed - should not be important/relevant and the free VPN-only should work )

 

IPsec configuration:

config vpn ipsec phase1-interface
    edit "RA-IPsec"
        set type dynamic
        set interface "wan1"
        set mode aggressive
        set peertype any
        set net-device enable
        set mode-cfg enable
        set proposal aes128-sha1 aes256-sha1
        set dpd disable
        set dhgrp 14
        set xauthtype auto
        set reauth enable
        set assign-ip-from usrgrp
        set ipv4-start-ip 10.0.2.10
        set ipv4-end-ip 10.0.2.20
        set dns-mode auto
        set ipv4-split-include "IP Intern"
        set save-password enable
        set psksecret <>
    next
end

config vpn ipsec phase2-interface
    edit "RA-IPsec"
        set phase1name "RA-IPsec"
        set proposal aes128-sha1 aes256-sha1
        set keepalive enable
    next
end

 

RADIUS/NPS Server configured on FGT:

config user radius
    edit "LAB-NPS"
        set server "192.168.200.201"
        set secret <>
        set nas-ip 192.168.200.1
        set auth-type pap
    next
end

config user group
    edit "IPsec-NPS"
        set member "LAB-NPS"
    next
end

 

Firewall rule:

config firewall policy
    edit <>
        set srcintf "RA-IPsec"
        set dstintf "LAN"
        set action accept
        set srcaddr "DialUP_range"
        set dstaddr "IP Intern"
        set schedule "always"
        set service "ALL_ICMP"
        set logtraffic all
        set groups "IPsec-NPS"
    next
end

config firewall address
    edit "DialUP_range"
        set type iprange
        set start-ip 10.0.2.10
        set end-ip 10.0.2.20
    next
end

 

NPS Configuration on Windows Server:

In Network Policy Server:

RADIUS Clients > New : Add the FortiGate IP/Secret ( Secret should match on both the FGT and NPS )

Network Policies > New > Name it > Next > Conditions  : Add > User Groups ( I used the generic Domain Users group, feel free to add/create any group necessary ) > Next > Access Granted > EAP Types : MS-CHAP-v2 + PAP ( I used/enabled both MS-CHAP-v2 and PAP for testing purposes, although on the FGT under RADIUS I tested with both, but for my test I only left PAP ) > Next > Contraints : NAS Port Type > Virtual(VPN) ( for my test, it can be left blank/unselected ) > Next > IP Settings : Server settings determine IP address assignment , the rest as they are

Screenshot 2025-11-13 at 15.22.54.png

 

Now, in ADUC ( Active Directory Users and Computers ) , you would need to find the users, edit it ( make sure in View > Advanced Features is enabled ) > Dial-in > Assign Static IP-address and configure it ( as per below ) 

Screenshot 2025-11-13 at 14.58.51.png


That's it!

 

Debug logs to confirm/test the functionality:

ike V=root:0:RA-IPsec_0:260: received XAUTH_USER_NAME 'fortiems' length 8
ike V=root:0:RA-IPsec_0: XAUTH user "fortiems"
ike V=root:0:RA-IPsec: auth candidate group 'SSL_VPN-GROUP' 1
ike V=root:0:RA-IPsec: auth candidate group 'IPsec-NPS' 7
ike V=root:0:RA-IPsec_0: XAUTH 74462018805813 pending
[760] fnbamd_saml_auth_cache_lookup-Authneticating 'fortiems'.
[508] create_auth_session-Session created for req id 
[357] auth_local-started for fortiems
[429] auth_local-No conclusion, FNBAM_UNKNOWN
[863] __fnbamd_cfg_get_radius_list_by_group-Group 'SSL_VPN-GROUP'
[863] __fnbamd_cfg_get_radius_list_by_group-Group 'IPsec-NPS'
[456] fnbamd_rad_get-vfid=0, name='LAB-NPS'
[810] __rad_auth_ctx_insert-Loaded RADIUS server 'LAB-NPS'
[868] __fnbamd_cfg_get_radius_list_by_group-Loaded RADIUS server 'LAB-NPS' for usergroup 'IPsec-NPS' (7)
[823] __rad_auth_ctx_insert_all_usergroup-
[923] fnbamd_cfg_get_radius_list-Total rad servers to try: 1
[1030] fnbamd_cfg_radius_clear_reachability-Clearing RAD server reachability LAB-NPS:192.168.200.201
[941] fnbamd_rad_get_auth_server-
[1175] fnbamd_rad_auth_ctx_init-User ha_relay? 0.
[301] fnbamd_radius_get_next_auth_prot-Next auth prot PAP
[1110] __auth_ctx_svr_push-Added addr 192.168.200.201:1812 from rad 'LAB-NPS'
[933] __fnbamd_rad_get_next_addr-Next available address of rad 'LAB-NPS': 192.168.200.201:1812.
[1128] __auth_ctx_start-Connection starts LAB-NPS:192.168.200.201, addr 192.168.200.201:1812 proto: UDP
[281] __rad_udp_open-Opened radius socket 10, sa_family 2
[948] __rad_conn_start-Socket 10 is created for rad 'LAB-NPS'.
[810] __rad_add_job_timer-
[439] fnbamd_cfg_get_pop3_list-
[417] __fnbamd_cfg_get_pop3_list_by_group-
[422] __fnbamd_cfg_get_pop3_list_by_group-Group 'SSL_VPN-GROUP'
[422] __fnbamd_cfg_get_pop3_list_by_group-Group 'IPsec-NPS'
[449] fnbamd_cfg_get_pop3_list-Total pop3 servers to try: 0
[434] start_remote_auth-Total 1 server(s) to try
[612] fnbamd_rad_make_access_request-
[334] __create_access_request-Compose RADIUS request
[595] __create_access_request-Created RADIUS Access-Request. Len: 165.
[1175] fnbamd_socket_update_interface-vfid is 0, intf mode is 0, intf name is , server address is 192.168.200.201:1812, source address is null, protocol number is 17, oif id is 0
[354] __rad_udp_send-oif=0, intf_sel.mode=0, intf_sel.name=
[871] __rad_rxtx-Sent radius req to server 'LAB-NPS': fd=10, IP=192.168.200.201(192.168.200.201:1812) code=1 id=160 len=165
[1133] __rad_chk_resp_authenticator-The Message Authenticator validation is mandatory now
[1156] __rad_chk_resp_authenticator-ret=0
[1231] fnbamd_rad_validate_pkt-RADIUS resp code 2
[1301] fnbamd_rad_process-Result from radius svr 'LAB-NPS' is 0,
[1503] fnbamd_rad_process-Challenged: 0, FTK_Challenge: 0, CHG_PWD: 0, Invaid_Digest: 0, No_Message_Authenticator_Attr: 0, State_Len: 0
[631] fnbam_user_auth_group_match-req id: , server: LAB-NPS, local auth: 0, dn match: 0
[585] __group_match-Check if LAB-NPS is a group member
[585] __group_match-Check if LAB-NPS is a group member
[591] __group_match-Group 'IPsec-NPS' passed group matching
[594] __group_match-Add matched group 'IPsec-NPS'(7)
[206] find_matched_usr_grps-Passed group matching
[909] update_auth_token_session-config does not require 2fa
ike V=root:0:RA-IPsec_0:260: XAUTH 74462018805813 result FNBAM_SUCCESS
[516] fnbamd_rad_auth_ctx_free-Freeing 'LAB-NPS' ctx
[364] fnbamd_rad_free-Freeing LAB-NPS, ref:2
ike V=root:0:RA-IPsec_0: user 'fortiems' authenticated group 'IPsec-NPS' 7
ike V=root:0:RA-IPsec_0: use framed-IP 10.0.2.99 to replace local 10.0.2.10.
ike V=root:0:RA-IPsec_0: assigned IP 10.0.2.99

Screenshot 2025-11-13 at 15.21.38.png

 

L.E. AD Users that dont have static IP assignment in ADUC will get an IP addres from the pool configured in phase1.

L.E.2 My test user which gets assigned 10.0.2.99 ( since the IP is not part of the IP range in the firewall rule ) will not have access to any resources, will need to create another rule with source that specific IP.

"jack of all trades, master of none"
"jack of all trades, master of none"
Labels:
55
0 REPLIES 0
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.