Hello all,
Is LDAP only work with Cisco IPsec but L2TP/IPsec?
I try to set up VPN for remote access with LDAP with is hosted on Synology NAS, It works well with Cisco IPsec, but when I switch to L2TP/IPsec, only RADIUS work.
I want to use L2TP/IPsec because I want my client will able to connect from WINDOW natively.
Besides, I'm not considering to use SSL VPN because I have some embedded devices need to connect VPN, and SSL VPN doesn't have a standard.
Is this relate to PAP, MSCHAP or something else. What is different between Cisco IPsec and L2TP/IPsec under Fortigate?
What do you mean by cisco/ipsec? Are you using the cisco ipsec-client ? As far as LDAP , LDAP is just that LDAP. You should be able to authenticate ldap requests. What I would do is to test the . ldap auth via the cli and confirm
e.g
diagnose test authserver ldap <server_name> <username> <password> Define the ldapserver and then test using a test account Ken FelixPCNSE
NSE
StrongSwan
"Cisco IPsec" means the fortigate ipsec tunnel template "iOS Native",
"L2TP/IPsec" means the fortigate ipsec tunnel template "Windows Native".
When "L2TP/IPsec" + RADIUS, vpn will work on iOS, macOS, Window, Android,
When "L2TP/IPsec" + LDAP, vpn doesn't work at all
When "Cisco IPsec" + LDAP, vpn will work on iOS, macOS
There is a system error log when "L2TP/IPsec" + LDAP is that Fortigate failed to communicate with LDAP by MSCHAPv2,
I heard somebody say that LDAP required clear-text password and only accept PAP, if this is true, how can I configure Fortigate to use PAP with LDAP. Besides, why under "Cisco IPsec" fortigate can communicate with LDAP well, what protocol does it use?
More confusion, but LDAP has nothing todo with PAP MSchap MSv2CHAP etc.... Sounds like your using RADIUS for the vpn and the back end are LDAP for the authenticator?
What is your RADIUS server ? Do you have or have allowed support for PAP within the RADIUS client profile?
If the vpn is using radius for authentication, what is the auto-type set as
cli cfg for the RADIUS server
# a typical cfg would look like this
config user radius
end WindowsNPS
set auth-type auto|pap|chap|ms_chapend Ken FelixPCNSE
NSE
StrongSwan
My RADIUS is provided by synology NAS as same as the LDAP server.
L2TP/IPsec with RADIUS works good, the problems is L2TP/IPsec directly with LDAP
I config LDAP server form Web GUI "User & Device" -> "LDAP servers", and create a "User Groups" with type "Firewall", and then add the ldap server to the remote server of user group.
Then I create a IPsec tunnel with IPsec Wizard with "Windows Native"(l2tp/ipsec) template, and chose the user group i just create.
After the vpn created, I try to connect from my device(iOS, macOS, android), but the connection failed to established. At the same time, there is an error log in Fortigate System Event:
"User '******' is trying to connect using l2tp with authentication protocol MSCHAP_V2, failed"
However, if I create a IPsec tunnel with IPsec Wizard with "iOS Native"(cisco ipsec) template, and chose that user group, the connection can success.
config vpn ipsec phase2-interface
edit "vpn"
set phase1name "vpn"
set proposal aes256-md5 3des-sha1 aes192-sha1
set pfs disable
set encapsulation transport-mode
set l2tp enable
set comments "VPN: vpn (Created by VPN wizard)"
set keylifeseconds 3600
next
end
config vpn ipsec phase1-interface
edit "vpn"
set type dynamic
set interface "wan1"
set peertype any
set proposal aes256-md5 3des-sha1 aes192-sha1
set comments "VPN: vpn (Created by VPN wizard)"
set dhgrp 2
set wizard-type dialup-windows
set psksecret ENC PwAIdqYwH1hYEhfE7zlsHAc+Q+eNeNwNLEd2Ed6crj5B37hYPvXA55JqlMbLlGWaRRfrtklLOBMIcKj7OlzK3tmsVv9PrdqbJG/muTuYOd2yAMGD6mITZoXMLj27HSEKWXBoce8NJhydws39ZhG8xmidciMYityZcQ5cEZMtUYju0nE9Gf2laB/zaeJZGtLV5zciag==
next
end
config vpn l2tp
set eip 10.1.5.123
set sip 10.1.5.1
set status enable
set usrgrp "ldap_group"
end
config user group
edit "ldap_group"
set member "nas"
config match
edit 1
set server-name "nas"
set group-name "cn=vpn,cn=groups,dc=****,dc=****,dc=****"
next
end
next
end
And "nas" is it a "ldap-server" or "radius" ? Did you do the test diag cmd in the example sent earlier?
Ken Felix
PCNSE
NSE
StrongSwan
Hi,
Due to nature of the PPP protocol, we do support LDAP authentication on PPTP/L2TP only when PAP authentication protocol is used. The LDAP based authentication for handshake protocols as CHAP/MSCHAP/MSCHAPv2 on PPP link types is not possible due to technology limitation. As there is no plain text password available, FortiGate is unable to construct proper responses for handshake authentication types. And authentication data provided by client do not contain password, so FortiGate has nothing to construct dialog towards LDAP as well.
According to my notes it was written in official documentation...
For example "FortiOS Handbook - Authentication" [ISBN 01-526-122870-20160309] page 85 , chapter "Configuring authentication of L2TP VPN users/user groups" http://docs.fortinet.com/uploaded/files/1937/fortigate-authentication-52.pdf (outdated) --- cit --- "LDAP user authentication is supported for PPTP, L2TP, IPSec VPN, and firewall authentication. However, with PPTP, L2TP, and IPsec VPN, PAP (Packet Authentication Protocol) is supported, while CHAP (Challenge Handshake Authentication Protocol) is not. --- cit ---
Therefore if your PPTP client does not use PAP, then he will fail in authentication towards LDAP user group.
For example MS Windows or Android 2.3.5 clients uses MSCHAP/MSCHAPv2 as default protocol for credentials transfer.
I had link to page describing how to set PAP in L2TP native MSFT supplicant, but it's outdated.
If possible, I would go for full IPSec and not to L2TP, which I do not consider secure anymore.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
User | Count |
---|---|
2677 | |
1412 | |
810 | |
703 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.