Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
michaeladriannewton
New Contributor

XAUTH Authentication Failed

Hi,

 

I've created an L2TP/IPsec VPN connection for Remote Users. Authentication is provided by LDAP.

 

Unfortunately during P1 negotiations I get the error returned on the Firewall 'XAUTH Authentication Failed'. This is also reflected on the clients machine with the error 'Wrong Credentials' being displayed on Forticlient.

 

I attempted to create a local user with local firewall authentication but I get the same error message.

 

If anyone has any ideas on what this could be, I would be grateful. It's driving me nuts.

 

Kind regards

 

Michael

10 REPLIES 10
emnoc
Esteemed Contributor III

A snippet of what you have configured for either  LDAP or local-user would be helpful.

 

For the former you have a few diag test commands that you can explore for check user/password

 

e.g

 

FGT100DNYCNYNY4 (root) $ diag test authserver  ldap "MYLDAPSERV" ken.felix MYPASSWORDHERE authenticate 'ken.felix' against 'MYLDAPSERV' succeeded!  ( output is  redacted )

 

using this approach validate the

 

1: search binding

2: username

3: password

4: communication path

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
michaeladriannewton

Hi Ken,

 

We're running 2 x 100D in HA. Both are running a variant of 5.2.

 

I've created a LDAP connection to a primary DC. I'm able to test the connection to the DC via the GUI. The test runs successfully.

 

I'm able to query to CN and pull the user information from the CN.

 

The LDAP Server is titled Primary_LDAP.

 

I've then created a new user account from 'Users'. I've queried Primary_LDAP and selected the required user from the CN.

 

I created a User Group called LDAP_User_Group and put the user into this group and added Primary_LDAP as the remote server.

 

In the VPN XAUTH setup. I have seleted Primary_LDAP to authenticate. I've also added the LDAP_User_Group to the source of the VPN policy.

 

I ran your test and it failed to authenticate the LDAP user. Local Firewall users also do not work with the VPN connection.

 

Any ideas greatly appreciated.

 

Kind regards

 

Michael

michaeladriannewton

Hi,

 

I've managed to fix the Authentication issue. Replaced cn with sAMAccountName in the LDAP setup.

 

Just looking at P2 errors now.

 

The joy.

 

Cheers

 

Michael

michaeladriannewton

Hi,

 

The VPN is all working.

 

I don't suppose you know if there is a way to get the standard Windows VPN client to work with the Fortigate? Forticlient works a treat but I would ideally like to be able to use the Windows Client.

 

Cheers

 

Michael

emnoc
Esteemed Contributor III

For ipsec/L2TP windows clients will work. This is older blog post of my mine but the concept is the same across all FortiOS versions

 

http://socpuppet.blogspot.com/2013/02/l2tp-setup-fortigate-200b-mr3p12.html

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
michaeladriannewton

Thanks for the link Ken. Much appreciated.

 

I've not had much look with the Windows VPN Client setup. I've tried all sorts of variations of encryption/authentication.

 

I only have limited access to the Firewall so I cannot perform any debugs and the VPN logs tell me nothing. At an educated guess, I would say there is a mismatch in P1 proposals or it's just getting to the stage of authenticating the user but does not know what to do.

 

Thanks

emnoc
Esteemed Contributor III

On windows and even macosx or mobile device, it's all in proposal and algo/ciphers. If in doubt allow all and then filter off the proposals after finding what the client actually uses for LT2P/IPSEC.

 

I will draft a  new post as a update and with newier windows versions.

 

;)

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
michaeladriannewton

Thanks Ken.

 

If you do manage to stumble across any encryption/authentication details for the standard Windows 10 VPN client whilst completing your draft - please give me a shout :)

 

Cheers

 

Michael

xsilver_FTNT
Staff
Staff

Hi Michael,

 

in the L2TP/IPSec there should be user group and auth in L2TP.

IPsec/phase2 should be in transport ... "set encapsulation transport-mode".

And combo with LDAP reminds me that PPTP/L2TP protocols do support PAP auth protocol only, no CHAP by design.

Not sure if it's still in there, but FortiOS CLI guide had clear statement ...

 

--- cit --- "LDAP user authentication is supported for PPTP, L2TP, IPSec VPN, and firewall authentication. With PPTP, L2TP, and IPSec VPN, PAP (Packet Authentication Protocol) is supported and CHAP (Challenge Handshake Authentication Protocol) is not. --- cit --- MS Windows uses MSCHAP or MSCHAPv2 by default ! Android 2.3.5 and above uses MSCHAP protocol. AUTHENTICATION TEST RESULTS: - local user - OK - LDAP - not working (as expected and documented) - Radius - OK MS Windows and how to change host authentication method - step 11 shows where to change auth method: http://kb.cyberoam.com/default.asp?id=1941&Lang=1&SID=#MSWindowsXPConfiguration

 

 

If you do not have to use L2TP, then I'd strongly recommed to use IPSec only.

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors