Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
secret104278
New Contributor

LDAP only work with Cisco IPsec but L2TP/IPsec on Fortigate

Hello all,

Is LDAP only work with Cisco IPsec but L2TP/IPsec?

I try to set up VPN for remote access with LDAP with is hosted on Synology NAS, It works well with Cisco IPsec, but when I switch to L2TP/IPsec, only RADIUS work.

 

I want to use L2TP/IPsec because I want my client will able to connect from WINDOW natively.

Besides, I'm not considering to use SSL VPN because I have some embedded devices need to connect VPN, and SSL VPN doesn't have a standard.

 

Is this relate to PAP, MSCHAP or something else. What is different between Cisco IPsec and L2TP/IPsec under Fortigate?

7 REPLIES 7
emnoc
Esteemed Contributor III

What do you mean by cisco/ipsec? Are you using the cisco ipsec-client ? As far as LDAP , LDAP is just that LDAP. You should be able to  authenticate ldap requests. What I would do is to test the . ldap auth via the cli  and confirm 

 

e.g

      diagnose test authserver ldap <server_name> <username> <password>

 

Define the ldapserver and then test using a test account

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
secret104278

"Cisco IPsec" means the fortigate ipsec tunnel template "iOS Native", 

"L2TP/IPsec" means the fortigate ipsec tunnel template "Windows Native".

 

When "L2TP/IPsec" + RADIUS, vpn will work on iOS, macOS, Window, Android,

When "L2TP/IPsec" + LDAP, vpn doesn't work at all

When "Cisco IPsec" + LDAP, vpn will work on iOS, macOS

 

There is a system error log when "L2TP/IPsec" + LDAP is that Fortigate failed to communicate with LDAP by MSCHAPv2,

I heard somebody say that LDAP required clear-text password and only accept PAP, if this is true, how can I configure Fortigate to use PAP with LDAP. Besides, why under "Cisco IPsec" fortigate can communicate with LDAP well, what protocol does it use?

emnoc
Esteemed Contributor III

More confusion,  but LDAP has nothing todo with PAP MSchap MSv2CHAP etc.... Sounds like your using RADIUS for the vpn and the back end are LDAP for the authenticator?

 

What is your RADIUS server ? Do you have or have allowed support for PAP within the RADIUS client profile?

 

If the vpn is using radius for authentication, what is the auto-type set as

 

cli cfg for the RADIUS server 

# a typical cfg would look like this

config user radius

  end WindowsNPS

   set auth-type auto|pap|chap|ms_chap

end

 

Ken Felix

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
secret104278

My RADIUS is provided by synology NAS as same as the LDAP server.

L2TP/IPsec with RADIUS works good, the problems is L2TP/IPsec directly with LDAP

 

I config LDAP server form Web GUI "User & Device" -> "LDAP servers", and create a "User Groups" with type "Firewall", and then add the ldap server to the remote server of user group.

Then I create a IPsec tunnel with IPsec Wizard with "Windows Native"(l2tp/ipsec) template, and chose the user group i just create.

 

After the vpn created, I try to connect from my device(iOS, macOS, android), but the connection failed to established. At the same time, there is an error log in Fortigate System Event:

"User '******' is trying to connect using l2tp with authentication protocol MSCHAP_V2, failed"

 

However, if I create a IPsec tunnel with IPsec Wizard with "iOS Native"(cisco ipsec) template, and chose that user group, the connection can success.

 

config vpn ipsec phase2-interface
    edit "vpn"
        set phase1name "vpn"
        set proposal aes256-md5 3des-sha1 aes192-sha1
        set pfs disable
        set encapsulation transport-mode
        set l2tp enable
        set comments "VPN: vpn (Created by VPN wizard)"
        set keylifeseconds 3600
    next
end

config vpn ipsec phase1-interface
    edit "vpn"
        set type dynamic
        set interface "wan1"
        set peertype any
        set proposal aes256-md5 3des-sha1 aes192-sha1
        set comments "VPN: vpn (Created by VPN wizard)"
        set dhgrp 2
        set wizard-type dialup-windows
        set psksecret ENC PwAIdqYwH1hYEhfE7zlsHAc+Q+eNeNwNLEd2Ed6crj5B37hYPvXA55JqlMbLlGWaRRfrtklLOBMIcKj7OlzK3tmsVv9PrdqbJG/muTuYOd2yAMGD6mITZoXMLj27HSEKWXBoce8NJhydws39ZhG8xmidciMYityZcQ5cEZMtUYju0nE9Gf2laB/zaeJZGtLV5zciag==
    next
end

config vpn l2tp
    set eip 10.1.5.123
    set sip 10.1.5.1
    set status enable
    set usrgrp "ldap_group"
end

config user group
    edit "ldap_group"
        set member "nas"
        config match
            edit 1
                set server-name "nas"
                set group-name "cn=vpn,cn=groups,dc=****,dc=****,dc=****"
            next
        end
    next
end

emnoc
Esteemed Contributor III

And "nas" is it a "ldap-server"  or "radius" ? Did you do the test diag cmd in the example sent earlier?

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
secret104278

The "NAS" is the LDAP server as well as RADIUS server. It is a Network Attached Storage with special OS and a lot apps. I have test that diag command and it works well
xsilver_FTNT

Hi,

 

Due to nature of the PPP protocol, we do support LDAP authentication on PPTP/L2TP only when PAP authentication protocol is used. The LDAP based authentication for handshake protocols as CHAP/MSCHAP/MSCHAPv2 on PPP link types is not possible due to technology limitation. As there is no plain text password available, FortiGate is unable to construct proper responses for handshake authentication types. And authentication data provided by client do not contain password, so FortiGate has nothing to construct dialog towards LDAP as well.

 

According to my notes it was written in official documentation...

For example "FortiOS Handbook - Authentication" [ISBN 01-526-122870-20160309] page 85 , chapter "Configuring authentication of L2TP VPN users/user groups" http://docs.fortinet.com/uploaded/files/1937/fortigate-authentication-52.pdf  (outdated) --- cit --- "LDAP user authentication is supported for PPTP, L2TP, IPSec VPN, and firewall authentication. However, with PPTP, L2TP, and IPsec VPN, PAP (Packet Authentication Protocol) is supported, while CHAP (Challenge Handshake Authentication Protocol) is not. --- cit ---

 

Therefore if your PPTP client does not use PAP, then he will fail in authentication towards LDAP user group.

For example MS Windows or Android 2.3.5 clients uses MSCHAP/MSCHAPv2 as default protocol for credentials transfer.

I had link to page describing how to set PAP in L2TP native MSFT supplicant, but it's outdated.

If possible, I would go for full IPSec and not to L2TP, which I do not consider secure anymore.

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors