- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Windows-VPN (IKEv2) Authentication against Server 2019 Domain Controller
Hello everyone, I would like to use the integrated Windows 10 IKEv2 tunnel for a connetion to a Fortigate (100E, v6.4.4) with authentification against my Windows Active Directroy (Server 2019). With a local user on the Fortigate my tunnel is running fine. The authentification against my Windows Server does not work. Here ist my LDAP config (for testing I have tried my domain administrator without LDAPs):
config user ldap
edit "SRVEX-FS - RAS allowed"
set server "192.168.10.12"
set cnid "sAMAccountName"
set dn "dc=example,dc=local"
set type regular
set username "example\\Administrator"
set password ENC xyz
set search-type recursive
next
end
A test on the Fortigate is successful:
diagnose test authserver ldap "SRVEX-FS - RAS allowed" Sebastian xxccff
authenticate 'Sebastian' against 'SRVEX-FS - RAS allowed' succeeded!
Group membership(s) - CN=Domänen-Benutzer,CN=Users,DC=example,DC=local
CN=Benutzer,CN=Builtin,DC=example,DC=local
Here is my user group definition:
config user group
edit "SRVEX-FS"
set member "SRVEX-FS - RAS allowed"
config match
edit 1
set server-name "SRVEX-FS - RAS allowed"
set group-name "CN=Domänen-Benutzer,CN=Users,DC=example,DC=local"
next
end
next
end
and here my phase1 vpn definition:
config vpn ipsec phase1-interface
edit "WIN_IKEv2"
set type dynamic
set interface "wan1"
set ike-version 2
set authmethod signature
set peertype any
set net-device enable
set mode-cfg enable
set ipv4-dns-server1 192.168.10.12
set proposal aes256-sha1 aes256-sha256 aes128-sha1 aes128-sha256
set comments "Windows native VPN client - IKEv2 and EAP user auth"
set dhgrp 15 14 2
set eap enable
set eap-identity send-request
set authusrgrp "SRVEX-FS"
set certificate "vpn.example.org"
set ipv4-start-ip 192.168.249.20
set ipv4-end-ip 192.168.249.254
set ipv4-netmask 255.255.255.0
next
end
As already mentioned - when I use for "authusrgrp" a local fortigate group with local users the tunnel comes up. I have done some further investigation with wireshark. When I do (the sucessfull) "diagnose test authserver ldap" the ldap search request to the server contains - a filter (attributeDesc: sAMAccountName, assertionValue: Sebastian) and - a attributte (AttributeDescription: 1.1) When I try to dialin (failing) the ldap search request to the server contains - a filter (attributeDesc: sAMAccountName, assertionValue: Sebastian) and - attributes: AttributeDescription: ha1Password, userPassword, lmPassword, ntPassword, sambaLmPassword, memberOf
The ldap search result is empty.
Any ideas?
Thanks
Sebastian
- Labels:
-
6.4
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
self-reply ;)
It seems the problem is that the passwords are not stored clear-text in the AD - but the firewall needs them in clear text for this authentification type.
Enabling storing the passwords in clear text is not an option (so I will check if RADIUS is an option for me).
Can anybody confirm this?
Sebastian
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, most of the time we use RADIUS and with PAP for dialup vpn access. Do you have a RADIUS or NPS environment set up in your company?
Ken Felix
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I have just installed the NPS Server and got it working with IKEv2 and authentification against my Active Directory.
It would be interesting if my unterstanding regarding LDAP is correct?
Sebastian
