Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
student1363
New Contributor

VPN Authentication with Active Directory

Hi,

 

I have created some groups in "User Groups" and used "remote groups" in active directory to map a group to them.

Now, when I create VPN (L2TP or PPTP) I can not login with a active directory user, but it works with local users. (I don't use FSSO)

 

Thanks

4 REPLIES 4
robdog
New Contributor II

Do this to see where the auth is failing

 

diagnose debug enable

diagnose debug application fnbamd 255

 

Then check the authentication

 

diagnose test authserver ldap LDAP-server username password

 

to stop debug

 

diagnose debug application fnbamd 0

diagnose debug reset

diagnose debug disable

 

If you are able to auth against LDAP successfully then debug the vpn auth process

 

diagnose debug reset diagnose debug app ike -1 diagnose debug app fnb -1 diagnose debug enable - test a login, use these commands to disable and reset the debug: diagnose debug disable diagnose debug reset

robdog
New Contributor II

Show me the configuration please and syntax of the auth command you entered?

student1363
New Contributor

Thanks for your handy commands. Here is the OUTPUT and interestingly it seems that FG doesn't use LDAP as authentication server!

[1943] handle_req-Rcvd auth req 67546375 for EeSadegh in Admins opt=00000000 prot=4 [345] __compose_group_list_from_req-Group 'Admins' [608] fnbamd_pop3_start-EeSadegh [304] radius_start-Didn't find radius servers (0) [682] auth_tac_plus_start-Didn't find tac_plus servers (0) [452] create_auth_session-Error starting authentication [1962] handle_req-Error creating session [180] fnbamd_comm_send_result-Sending result 3 (error 0) for req 67546375

I did the configuration base on fortinet guide, what did I miss?

student1363
New Contributor

I used wizard for configuration (Custom).

first I created Group "Admins" as the picture I have attached. Next, I entered bellow commands:

Config vpn L2TP set sip 192.168.10.1 set eip 192.168.10.101 set status enable set usrgrp L2TP_users

end

Then, through wizard I set up a IPSec Tunnel.In Tunnel configuration "XAuth" is disabled.

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors