Description
This article explains the scenario where a user is trying to connect via Dial Up VPN tunnel having ‘set authgroup’ configured under ‘config vpn ipsec phase1-interface’, it will be preferred over the ‘set auth-type’ set under ‘config user radius’.
Scope
FortiGate.
VPN configuration.
config vpn ipsec phase1-interface
edit "dialup"
set type dynamic
set interface "wan1"
set mode aggressive
set peertype one
set mode-cfg enable
set proposal aes256-sha256
set dpd on-idle
set xauthtype auto
set authusrgrp "ipsec-group"
set peerid “FORTI”
set net-device enable
set ipv4-start-ip 10.10.10.10
set ipv4-end-ip 10.10.10.20
set save-password enable
set psksecret ENC xxxx
set dpd-retryinterval 60
next
end
Radius Configuration.
config user radius
edit " win-rad"
set server "192.168.55.4"
set secret ENC xxx
set auth-type ms_chap_v2
next
end
As per the above config, following what is set under ‘config user radius’ the authentication type should be follow the specific method configured as ‘set auth-type ms_chap_v2 ’
Since it is defined ‘set authgroup’ under ‘config vpn ipsec phase1-interface’, all the method is tried.
Debugging.
When using a wrong password to authenticate, the FortiGate will try all the method and is not just stopping after trying ms_chap_v2 method as configured for radius.
diag debug console timestamp enable
diag debug application fnbamd -1
diag debug enable
ike 0:dialup_0:50: received XAUTH_USER_NAME 'test-radius' length 11
ike 0:dialup_0:50: received XAUTH_USER_PASSWORD length 8
ike 0:dialup_0: XAUTH user "test-radius"
ike 0:dialup: auth group ipsec-group
[1909] handle_req-Rcvd auth req 695453822 for test-radius in ipsec-group opt=00000000 prot=5
[466] __compose_group_list_from_req-Group 'ipsec-group', type 1
[617] fnbamd_pop3_start-test-radius
[569] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'win-rad' for usergroup 'ipsec-group' (3)
[343] fnbamd_create_radius_socket-Opened radius socket 15
[343] fnbamd_create_radius_socket-Opened radius socket 16
[1391] fnbamd_radius_auth_send-Compose RADIUS request
[1351] fnbamd_rad_dns_cb-192.168.55.4->192.168.55.4
[1329] __fnbamd_rad_send-Sent radius req to server 'win-rad': fd=15, IP=192.168.55.4(192.168.55.4:1812) code=1 id=43 len=194 user="test-radius" using MS-CHAPv2
[320] radius_server_auth-Timer of rad 'win-rad' is added
[750] auth_tac_plus_start-Didn't find tac_plus servers (0)
[1015] __fnbamd_cfg_get_ldap_list_by_group-
[1131] fnbamd_cfg_get_ldap_list-Total ldap servers to try: 0
[488] ldap_start-Didn't find ldap servers
ike 0:dialup_0: XAUTH 695453822 pending
[633] create_auth_session-Total 1 server(s) to try
[1356] fnbamd_auth_handle_radius_result-Timer of rad 'win-rad' is deleted
[1799] fnbamd_radius_auth_validate_pkt-RADIUS resp code 3
[416] extract_chap_error-CHAP err: E=691 R=0 V=3
[1382] fnbamd_auth_handle_radius_result-->Result for radius svr 'win-rad' 192.168.55.4(1) is 1
[1391] fnbamd_radius_auth_send-Compose RADIUS request
[1329] __fnbamd_rad_send-Sent radius req to server 'win-rad': fd=15, IP=192.168.55.4(192.168.55.4:1812) code=1 id=44 len=131 user="test-radius" using CHAP
[320] radius_server_auth-Timer of rad 'win-rad' is added
[2613] handle_auth_rsp-Continue pending for req 695453822
[1356] fnbamd_auth_handle_radius_result-Timer of rad 'win-rad' is deleted
[1799] fnbamd_radius_auth_validate_pkt-RADIUS resp code 3
[1382] fnbamd_auth_handle_radius_result-->Result for radius svr 'win-rad' 192.168.55.4(1) is 1
[1391] fnbamd_radius_auth_send-Compose RADIUS request
[1329] __fnbamd_rad_send-Sent radius req to server 'win-rad': fd=15, IP=192.168.55.4(192.168.55.4:1812) code=1 id=45 len=130 user="test-radius" using PAP
[320] radius_server_auth-Timer of rad 'win-rad' is added
[2613] handle_auth_rsp-Continue pending for req 695453822
[1356] fnbamd_auth_handle_radius_result-Timer of rad 'win-rad' is deleted
[1799] fnbamd_radius_auth_validate_pkt-RADIUS resp code 3
[1382] fnbamd_auth_handle_radius_result-->Result for radius svr 'win-rad' 192.168.55.4(1) is 1
[217] fnbamd_comm_send_result-Sending result 1 (nid 0) for req 695453822, len=3108
ike 0:dialup_0:50: XAUTH 695453822 result 1
ike 0:dialup_0: XAUTH failed for user "test-radius", retry(2).
Preferred Solution
Unset the authgroup in the IPSec tunnel and use the 'Inherit from Policy' option as specified in this KB article.
Please note that you have to configure the group in the policy now, check the KB for more details
From GUI:
From CLI:
config vpn ipsec phase1-interface
edit "dialup”
unset authusrgrp
next
end
Config firewall policy
edit 4
set name "vpn_policy"
set srcintf "Test_vpn"
set dstintf "port2"
set action accept
set srcaddr "dialup_range"
set dstaddr "all"
set schedule "always"
set service "ALL"
set nat enable
set groups "vpn-group"
next
Now the debug will confirm that the Fortigate is using only the auth-type configured in the radius setting:
ike 0:dialup_0:49: received XAUTH_USER_NAME 'test-radius' length 11
ike 0:dialup_0:49: received XAUTH_USER_PASSWORD length 9
ike 0:dialup_0: XAUTH user "test-radius"
ike 0:dialup: auth candidate group 'ipsec-group' 3
ike 0:dialup_0: XAUTH 695453818 pending
[1909] handle_req-Rcvd auth req 695453818 for test-radius in opt=00000000 prot=11
[463] __compose_group_list_from_req-Group 3, type 3
[617] fnbamd_pop3_start-test-radius
[569] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'win-rad' for usergroup 'ipsec-group' (3)
[343] fnbamd_create_radius_socket-Opened radius socket 15
[343] fnbamd_create_radius_socket-Opened radius socket 16
[1391] fnbamd_radius_auth_send-Compose RADIUS request
[1351] fnbamd_rad_dns_cb-192.168.55.4->192.168.55.4
[1329] __fnbamd_rad_send-Sent radius req to server 'win-rad': fd=15, IP=192.168.55.4(192.168.55.4:1812) code=1 id=41 len=194 user="test-radius" using MS-CHAPv2
[320] radius_server_auth-Timer of rad 'win-rad' is added
[750] auth_tac_plus_start-Didn't find tac_plus servers (0)
[1015] __fnbamd_cfg_get_ldap_list_by_group-
[1131] fnbamd_cfg_get_ldap_list-Total ldap servers to try: 0
[488] ldap_start-Didn't find ldap servers
[633] create_auth_session-Total 1 server(s) to try
[1356] fnbamd_auth_handle_radius_result-Timer of rad 'win-rad' is deleted
[1799] fnbamd_radius_auth_validate_pkt-RADIUS resp code 3
[416] extract_chap_error-CHAP err: E=691 R=0 V=3
[1382] fnbamd_auth_handle_radius_result-->Result for radius svr 'win-rad' 192.168.55.4(1) is 1
[217] fnbamd_comm_send_result-Sending result 1 (nid 0) for req 695453818, len=3108
ike 0:dialup_0:49: XAUTH 695453818 result 1
ike 0:dialup_0: XAUTH failed for user "test-radius", retry(2).
Alternative Solution:
Choose Group information under 'config vpn ipsec phase1-interface' and selecting the protocol manually either PAP or CHAP.
config vpn ipsec phase1-interface
edit "dialup"
set type dynamic
set interface "wan1"
set mode aggressive
set peertype one
set mode-cfg enable
set proposal aes256-sha256
set dpd on-idle
set xauthtype pap <----- CHAP can also be chosen here.
set authusrgrp "ipsec-group"
set peerid “FORTI”
set net-device enable
set ipv4-start-ip 10.10.10.10
set ipv4-end-ip 10.10.10.20
set save-password enable
set psksecret ENC xxxx
set dpd-retryinterval 60
next
end
Related article:
Technical Tip: Using group based firewall policy for Dial-Up VPN to restrict network access
