Hi all!
Currently I am configuring a L2TP over IPSEC through Radius with a NPS server.
I've configured the L2TP on the Fortigate with the wizard, this is quite simple.
For testing I created 2 L2TP configuration because of the different networks available to connect with as a user.
This is a L2TP configuration for a native Windows client.
Tunnel:
-Remote Access - Windows Native
-Incoming interface - WAN
-Preshared key: ****
-User Group - the VPN Radius Group that should match
-Local interface - the interface that matches the destination group
-Local address - the address object that matches the destination group
-Client address range - a fictive range I made up 10.10.44.100-10.10.44.200
When connecting from a Windows client, it stops with error code: 691 (remote connection denied username..)
But checking the NPS logs, it shows MS-CHAPv2 was successful.
The logs matches the exact group that belongs to the user and I see traffic on the policies. So this should be good to go.
But showing the debug from the Fortigate, it shows " MSCHAP-v2 peer authentication failed for remote host".
So the NPS-Server says "successful" but the Fortigate says failed.
Does anyone recognise this issue?
Best regards,
Tim
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
It seems that the problem is caused by the use of MSCHAPv2. You can verify if FGT is able to successfully authenticate the user by running these commands:
> diagnose test authserver radius <srv name> pap <user> <pass>
> diagnose test authserver radius <srv name> mschap2 <user> <pass>
Tim and I are working on this issue together. These are the results:
authenticate 'xxx' against 'pap' failed, assigned_rad_session_id=44745116631041 session_timeout=0 secs idle_timeout=0 secs!
authenticate 'xxx' against 'mschap2' succeeded, server=primary assigned_rad_session_id=44745116631042 session_timeout=0 secs idle_timeout=0 secs!
Do a packet capture of the RADIUS communication as well, so that you know what the server is returning. You can combine that with debug for the FortiGate's side:
CLI 1:
diag sniffer packet any "host <NPS IP> and port 1812" 6 0 a
CTRL+C to stop when done
CLI 2 (separate SSH session or GUI console screen):
diag debug app fnbamd 127
dia de console timestamp enable
dia de en
=> test now with an L2TP connection attempt
dia de dis
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.