- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- XAUTH Authentication Failed
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
XAUTH Authentication Failed
Hi,
I've created an L2TP/IPsec VPN connection for Remote Users. Authentication is provided by LDAP.
Unfortunately during P1 negotiations I get the error returned on the Firewall 'XAUTH Authentication Failed'. This is also reflected on the clients machine with the error 'Wrong Credentials' being displayed on Forticlient.
I attempted to create a local user with local firewall authentication but I get the same error message.
If anyone has any ideas on what this could be, I would be grateful. It's driving me nuts.
Kind regards
Michael
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A snippet of what you have configured for either LDAP or local-user would be helpful.
For the former you have a few diag test commands that you can explore for check user/password
e.g
FGT100DNYCNYNY4 (root) $ diag test authserver ldap "MYLDAPSERV" ken.felix MYPASSWORDHERE authenticate 'ken.felix' against 'MYLDAPSERV' succeeded! ( output is redacted )
using this approach validate the
1: search binding
2: username
3: password
4: communication path
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ken,
We're running 2 x 100D in HA. Both are running a variant of 5.2.
I've created a LDAP connection to a primary DC. I'm able to test the connection to the DC via the GUI. The test runs successfully.
I'm able to query to CN and pull the user information from the CN.
The LDAP Server is titled Primary_LDAP.
I've then created a new user account from 'Users'. I've queried Primary_LDAP and selected the required user from the CN.
I created a User Group called LDAP_User_Group and put the user into this group and added Primary_LDAP as the remote server.
In the VPN XAUTH setup. I have seleted Primary_LDAP to authenticate. I've also added the LDAP_User_Group to the source of the VPN policy.
I ran your test and it failed to authenticate the LDAP user. Local Firewall users also do not work with the VPN connection.
Any ideas greatly appreciated.
Kind regards
Michael
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I've managed to fix the Authentication issue. Replaced cn with sAMAccountName in the LDAP setup.
Just looking at P2 errors now.
The joy.
Cheers
Michael
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The VPN is all working.
I don't suppose you know if there is a way to get the standard Windows VPN client to work with the Fortigate? Forticlient works a treat but I would ideally like to be able to use the Windows Client.
Cheers
Michael
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For ipsec/L2TP windows clients will work. This is older blog post of my mine but the concept is the same across all FortiOS versions
http://socpuppet.blogspot.com/2013/02/l2tp-setup-fortigate-200b-mr3p12.html
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the link Ken. Much appreciated.
I've not had much look with the Windows VPN Client setup. I've tried all sorts of variations of encryption/authentication.
I only have limited access to the Firewall so I cannot perform any debugs and the VPN logs tell me nothing. At an educated guess, I would say there is a mismatch in P1 proposals or it's just getting to the stage of authenticating the user but does not know what to do.
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On windows and even macosx or mobile device, it's all in proposal and algo/ciphers. If in doubt allow all and then filter off the proposals after finding what the client actually uses for LT2P/IPSEC.
I will draft a new post as a update and with newier windows versions.
;)
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Ken.
If you do manage to stumble across any encryption/authentication details for the standard Windows 10 VPN client whilst completing your draft - please give me a shout :)
Cheers
Michael
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Michael,
in the L2TP/IPSec there should be user group and auth in L2TP.
IPsec/phase2 should be in transport ... "set encapsulation transport-mode".
And combo with LDAP reminds me that PPTP/L2TP protocols do support PAP auth protocol only, no CHAP by design.
Not sure if it's still in there, but FortiOS CLI guide had clear statement ...
--- cit --- "LDAP user authentication is supported for PPTP, L2TP, IPSec VPN, and firewall authentication. With PPTP, L2TP, and IPSec VPN, PAP (Packet Authentication Protocol) is supported and CHAP (Challenge Handshake Authentication Protocol) is not. --- cit --- MS Windows uses MSCHAP or MSCHAPv2 by default ! Android 2.3.5 and above uses MSCHAP protocol. AUTHENTICATION TEST RESULTS: - local user - OK - LDAP - not working (as expected and documented) - Radius - OK MS Windows and how to change host authentication method - step 11 shows where to change auth method: http://kb.cyberoam.com/default.asp?id=1941&Lang=1&SID=#MSWindowsXPConfiguration
If you do not have to use L2TP, then I'd strongly recommed to use IPSec only.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Related Posts
- EMS cloud: Registration attempt by Endpoint... 744 Views
- Unable to authenticate radius users 623 Views
- FortiClient VPN - Error 6005 10182 Views
- MFA for SSL VPN - Cloud... 200 Views
- Ipsec connection in linux mint with... 1526 Views
Labels
-
FortiGate
6,560 -
FortiClient
1,308 -
5.2
801 -
5.4
639 -
FortiManager
566 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiSwitch
336 -
FortiAP
336 -
FortiClient EMS
266 -
6.2
251 -
FortiMail
243 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
71 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
61 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
25 -
Firewall policy
24 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
15 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
Logging
11 -
LDAP
10 -
Virtual IP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
IP address management - IPAM
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
Traffic shaping policy
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
Automation
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Web profile
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiDB
3 -
Port policy
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
Fortinet Engage Partner Program
2 -
TACACS
1 -
4.0MR1
1 -
Schedule
1 -
Users
1 -
SDN connector
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Web rating
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Multicast routing
1 -
Email filter profile
1 -
Zone
1 -
Internet Service Database
1 -
Explicit proxy
1 -
System settings
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.