Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
LynnJ57
New Contributor

Created on ‎08-17-2021 07:06 PM

L2TP VPN with LDAP authentication issues

Not much of a Fortinet user, but helping a customer with transitioning from their old PPTP(yup) to something more secure. I've created a Windows security group called VPNUsers and I have a Windows 2019 DC that the firewall is communicating with - added the security group successfully.  Using the current Forticlient build, a couple of users I've added to the VPNUsers group can VPN no problem. I then add a couple more users and I'm receiving 'Error: wrong credentials'.  I verified that the creds are correct as I can login to workstations on the lan.  What gives?

1959
0 Kudos
1 REPLY 1
xsilver_FTNT
Staff
Staff

Created on ‎08-10-2023 03:11 AM

Due to nature of the PPP protocol, we do support LDAP authentication on PPTP/L2TP, but only when PAP authentication protocol is used.
The LDAP based authentication for handshake protocols as CHAP/MSCHAP/MSCHAPv2 on PPP link types is not possible due to technology limitation.
As there is no plain text password available, as users are on back end LDAP, then FortiGate is unable to construct proper responses for handshake authentication types.
And authentication data provided by client do not contain password, so FortiGate has nothing to construct dialog towards LDAP as well.


Therefore if your PPTP client does not use PAP, then he will fail in authentication towards LDAP user group.

For example: MS Windows or Android 2.3.5 clients uses MSCHAP/MSCHAPv2 as default protocol for credentials transfer. Therefore those are expected to fail in default setup. You need to change those client's supplicant settings in connection properties.

For example like that in Windows:

Windows-VPN-L2TP-Properties-PAP.jpg

 

However, I would strongly recommend to use more modern and more secure VPN solutions like full IPsec, instead of L2TP (even instead of L2TP which uses IPsec as transport layer).

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

890
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.