Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

L2TP VPN with LDAP authentication issues

Not much of a Fortinet user, but helping a customer with transitioning from their old PPTP(yup) to something more secure. I've created a Windows security group called VPNUsers and I have a Windows 2019 DC that the firewall is communicating with - added the security group successfully.  Using the current Forticlient build, a couple of users I've added to the VPNUsers group can VPN no problem. I then add a couple more users and I'm receiving 'Error: wrong credentials'.  I verified that the creds are correct as I can login to workstations on the lan.  What gives?


Due to nature of the PPP protocol, we do support LDAP authentication on PPTP/L2TP, but only when PAP authentication protocol is used.
The LDAP based authentication for handshake protocols as CHAP/MSCHAP/MSCHAPv2 on PPP link types is not possible due to technology limitation.
As there is no plain text password available, as users are on back end LDAP, then FortiGate is unable to construct proper responses for handshake authentication types.
And authentication data provided by client do not contain password, so FortiGate has nothing to construct dialog towards LDAP as well.

Therefore if your PPTP client does not use PAP, then he will fail in authentication towards LDAP user group.

For example: MS Windows or Android 2.3.5 clients uses MSCHAP/MSCHAPv2 as default protocol for credentials transfer. Therefore those are expected to fail in default setup. You need to change those client's supplicant settings in connection properties.

For example like that in Windows:



However, I would strongly recommend to use more modern and more secure VPN solutions like full IPsec, instead of L2TP (even instead of L2TP which uses IPsec as transport layer).


Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Top Kudoed Authors