Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AlexandreP
New Contributor III

Created on ‎11-02-2022 02:36 PM

Using LDAP auth with IPSec VPN, Windows Native, 2022 version not working - hints?

FortiGate200F , firmware version 7.0.8, I need some hint.

 

1- So I configure an LDAP server on my Fortinet, used the "test" button with a username and password and it's working.

 

AlexandreP_0-1667423268302.png

(Edit LDAP Server image : That "test user credentials" button is working.)

 

 

 

2- I configure a group (GUI : User & Authentification - User Groups), named GRVPNLDAP pointing to a LDAP group on Active Directory.

 

3- I then configure a remote VPN with GRVPNLDAP to authenticate with the IPSec Wizard, remote - native - Windows Native.

 

AlexandreP_2-1667424428151.png

(VPN Creation Wizard image : We use this Wizard to create the new Remote VPN.)

 

4- I convert the new R100 IPSec Tunnel , so I can use a secondary IP address on the Wan interface.

 

5- When I test the VPN, In the Event VPN logs, I see : Pass1 ok Pass2 ok, then the connection closes.

 

6- I test/configure another Remote VPN, with the same settings, except with a local user, it works.

 

7- I test/configure a login for the Fortinet GUI that autenticate with GRVPNLDAP, it works.

 

What's not working here??? Can someone gives me some hints?

 

I will test this again on the next weekend (November 5 and 6, 2022) , and come back with my findings.

 

Thanks

 

 

 

 

 

 

 

 

 

 

 

Labels:
3423
0 Kudos
1 Solution
bpozdena_FTNT
Staff
Staff
In response to AlexandreP

Created on ‎11-04-2022 05:12 AM

Only cleartext passwords are supported with LDAP.  You can see this KB article for more details with example.

 

You would need to switch to RADIUS between your Fortigate and domain controllers and use MSCHAPv2 there.

HTH,
Boris

View solution in original post

3378
0 Kudos
4 REPLIES 4
bpozdena_FTNT
Staff
Staff

Created on ‎11-03-2022 12:57 AM

If you insist on using LDAP for L2TP/IPSec authentication, you will need to send the user password in cleartext. To do so, just enable PAP under your virtual adapter security properties in Windows. 

HTH,
Boris
3401
0 Kudos
AlexandreP
New Contributor III
In response to bpozdena_FTNT

Created on ‎11-03-2022 08:57 PM

Thanks, I'll try that avenue. Since the id/password will be sent after the Pass1 + Pass2, it will at least be incrypted on the Internet.

 

Is this a limitation from LDAP + Active Directory , can that be changed on the Windows Server?

3384
0 Kudos
bpozdena_FTNT
Staff
Staff
In response to AlexandreP

Created on ‎11-04-2022 05:12 AM

Only cleartext passwords are supported with LDAP.  You can see this KB article for more details with example.

 

You would need to switch to RADIUS between your Fortigate and domain controllers and use MSCHAPv2 there.

HTH,
Boris
3379
0 Kudos
AlexandreP
New Contributor III
In response to bpozdena_FTNT

Created on ‎11-06-2022 02:18 PM

Thanks, I have combine that with this Technical document:

Configuring FortiGate and Microsoft NPS (Radius with AD authentication)

And now it is working great.

3359
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.