Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MG4
New Contributor

Solution for Article 239709 not working (IPsec VPN peer id from dialup group)

On CLI, when a user tries to assigne the option ‘peer id from dialup group’ in the dial-up IPsec tunnel:

 

# config vpn ipsec phase1-interface

(phase1-interface) # edit <phase1 name>

(phase1 name) # set peertype dialup

(phase1 name) #set usrgrp <usergroup name>

Error: auth_user not a local user

node_check_object fail! for usrgrp <usergroup name>

 

value parse error before 'test'

Command fail. Return code -1

 

On GUI, an error '-1: Invalid length of value’ will be visible when a user tries to assign a user group to the option ‘'peer id from dialup group’'.

 

Solution: A user group can only be assigned/used in option ‘peer id from dialup group’ if every user in that group is locally created or the user group will have a Group type of ‘Firewall’.

 

My Problem is that the user group RADIUS I use is from the group type Firewall, and it doesn't work. The user group RADIUS has a remote group being a RADIUS-Server.

 

Is there no way to authenticate with the FortiGate, Client-to-Site IPsec VPNs with LDAP or RADIUS?

1 Solution
pminarik
Staff
Staff

LDAP or RADIUS can be used if you utilize them for XAUTH (IKEv1) or EAP (IKEv2) authentication in IPsec.

 

peertype=dialup + usrgrp=<local-group> are used to effectively create a dynamic list of valid peer-id + PSK combinations. Since the PSK (taken from the local user's password) isn't sent directly, but is used to generate a hash for authentication, the FortiGate needs to have knowledge of what the PSK should be, and in practice LDAP/RADIUS cannot be used to request such information from the authentication server.

[ corrections always welcome ]

View solution in original post

3 REPLIES 3
ozkanaltas
Valued Contributor II

Hello @MG4 ,

 

According to that solution article, you can't use a remote group on your dial-up vpn configuration. You need to configure with a local user group. 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
pminarik
Staff
Staff

LDAP or RADIUS can be used if you utilize them for XAUTH (IKEv1) or EAP (IKEv2) authentication in IPsec.

 

peertype=dialup + usrgrp=<local-group> are used to effectively create a dynamic list of valid peer-id + PSK combinations. Since the PSK (taken from the local user's password) isn't sent directly, but is used to generate a hash for authentication, the FortiGate needs to have knowledge of what the PSK should be, and in practice LDAP/RADIUS cannot be used to request such information from the authentication server.

[ corrections always welcome ]
MG4
New Contributor

Thank you for the Answer. I looked up the EAP authentication and found the article, 191040 that talks about a way to utilize RADIUS. I'm going to try it out and see if it works.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors