Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AlexandreP
New Contributor III

Using LDAP auth with IPSec VPN, Windows Native, 2022 version not working - hints?

FortiGate200F , firmware version 7.0.8, I need some hint.

 

1- So I configure an LDAP server on my Fortinet, used the "test" button with a username and password and it's working.

 

AlexandreP_0-1667423268302.png

(Edit LDAP Server image : That "test user credentials" button is working.)

 

 

 

2- I configure a group (GUI : User & Authentification - User Groups), named GRVPNLDAP pointing to a LDAP group on Active Directory.

 

3- I then configure a remote VPN with GRVPNLDAP to authenticate with the IPSec Wizard, remote - native - Windows Native.

 

AlexandreP_2-1667424428151.png

(VPN Creation Wizard image : We use this Wizard to create the new Remote VPN.)

 

4- I convert the new R100 IPSec Tunnel , so I can use a secondary IP address on the Wan interface.

 

5- When I test the VPN, In the Event VPN logs, I see : Pass1 ok Pass2 ok, then the connection closes.

 

6- I test/configure another Remote VPN, with the same settings, except with a local user, it works.

 

7- I test/configure a login for the Fortinet GUI that autenticate with GRVPNLDAP, it works.

 

What's not working here??? Can someone gives me some hints?

 

I will test this again on the next weekend (November 5 and 6, 2022) , and come back with my findings.

 

Thanks

 

 

 

 

 

 

 

 

 

 

 

1 Solution
bpozdena_FTNT

Only cleartext passwords are supported with LDAP.  You can see this KB article for more details with example.

 

You would need to switch to RADIUS between your Fortigate and domain controllers and use MSCHAPv2 there.

HTH,
Boris

View solution in original post

4 REPLIES 4
bpozdena_FTNT

If you insist on using LDAP for L2TP/IPSec authentication, you will need to send the user password in cleartext. To do so, just enable PAP under your virtual adapter security properties in Windows. 

HTH,
Boris
AlexandreP

Thanks, I'll try that avenue. Since the id/password will be sent after the Pass1 + Pass2, it will at least be incrypted on the Internet.

 

Is this a limitation from LDAP + Active Directory , can that be changed on the Windows Server?

bpozdena_FTNT

Only cleartext passwords are supported with LDAP.  You can see this KB article for more details with example.

 

You would need to switch to RADIUS between your Fortigate and domain controllers and use MSCHAPv2 there.

HTH,
Boris
AlexandreP

Thanks, I have combine that with this Technical document:

Configuring FortiGate and Microsoft NPS (Radius with AD authentication)

And now it is working great.

Labels
Top Kudoed Authors