Hot!LDAP only work with Cisco IPsec but L2TP/IPsec on Fortigate

Author
secret104278
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/09/21 01:17:40
  • Status: offline
2019/09/21 01:26:04 (permalink) 5.6
0

LDAP only work with Cisco IPsec but L2TP/IPsec on Fortigate

Hello all,
Is LDAP only work with Cisco IPsec but L2TP/IPsec?
I try to set up VPN for remote access with LDAP with is hosted on Synology NAS, It works well with Cisco IPsec, but when I switch to L2TP/IPsec, only RADIUS work.
 
I want to use L2TP/IPsec because I want my client will able to connect from WINDOW natively.
Besides, I'm not considering to use SSL VPN because I have some embedded devices need to connect VPN, and SSL VPN doesn't have a standard.
 
Is this relate to PAP, MSCHAP or something else. What is different between Cisco IPsec and L2TP/IPsec under Fortigate?
#1
emnoc
Expert Member
  • Total Posts : 5301
  • Scores: 347
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: LDAP only work with Cisco IPsec but L2TP/IPsec on Fortigate 2019/09/21 08:52:58 (permalink)
0
What do you mean by cisco/ipsec? Are you using the cisco ipsec-client ? As far as LDAP , LDAP is just that LDAP. You should be able to  authenticate ldap requests. What I would do is to test the . ldap auth via the cli  and confirm 
 
e.g
      diagnose test authserver ldap <server_name> <username> <password>
 
Define the ldapserver and then test using a test account
 
Ken Felix
 

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#2
secret104278
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/09/21 01:17:40
  • Status: offline
Re: LDAP only work with Cisco IPsec but L2TP/IPsec on Fortigate 2019/09/21 09:04:53 (permalink)
0
"Cisco IPsec" means the fortigate ipsec tunnel template "iOS Native", 
"L2TP/IPsec" means the fortigate ipsec tunnel template "Windows Native".
 
When "L2TP/IPsec" + RADIUS, vpn will work on iOS, macOS, Window, Android,
When "L2TP/IPsec" + LDAP, vpn doesn't work at all
When "Cisco IPsec" + LDAP, vpn will work on iOS, macOS
 
There is a system error log when "L2TP/IPsec" + LDAP is that Fortigate failed to communicate with LDAP by MSCHAPv2,
I heard somebody say that LDAP required clear-text password and only accept PAP, if this is true, how can I configure Fortigate to use PAP with LDAP. Besides, why under "Cisco IPsec" fortigate can communicate with LDAP well, what protocol does it use?
#3
emnoc
Expert Member
  • Total Posts : 5301
  • Scores: 347
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: LDAP only work with Cisco IPsec but L2TP/IPsec on Fortigate 2019/09/21 10:12:06 (permalink)
0
More confusion,  but LDAP has nothing todo with PAP MSchap MSv2CHAP etc.... Sounds like your using RADIUS for the vpn and the back end are LDAP for the authenticator?
 
What is your RADIUS server ? Do you have or have allowed support for PAP within the RADIUS client profile?
 
If the vpn is using radius for authentication, what is the auto-type set as
 
cli cfg for the RADIUS server 
# a typical cfg would look like this
config user radius
  end WindowsNPS
   set auth-type auto|pap|chap|ms_chap
end
 
Ken Felix
 
 

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#4
secret104278
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/09/21 01:17:40
  • Status: offline
Re: LDAP only work with Cisco IPsec but L2TP/IPsec on Fortigate 2019/09/21 10:26:56 (permalink)
0
My RADIUS is provided by synology NAS as same as the LDAP server.
L2TP/IPsec with RADIUS works good, the problems is L2TP/IPsec directly with LDAP
 
I config LDAP server form Web GUI "User & Device" -> "LDAP servers", and create a "User Groups" with type "Firewall", and then add the ldap server to the remote server of user group.
Then I create a IPsec tunnel with IPsec Wizard with "Windows Native"(l2tp/ipsec) template, and chose the user group i just create.
 
After the vpn created, I try to connect from my device(iOS, macOS, android), but the connection failed to established. At the same time, there is an error log in Fortigate System Event:
"User '******' is trying to connect using l2tp with authentication protocol MSCHAP_V2, failed"
 
However, if I create a IPsec tunnel with IPsec Wizard with "iOS Native"(cisco ipsec) template, and chose that user group, the connection can success.
 
config vpn ipsec phase2-interface
    edit "vpn"
        set phase1name "vpn"
        set proposal aes256-md5 3des-sha1 aes192-sha1
        set pfs disable
        set encapsulation transport-mode
        set l2tp enable
        set comments "VPN: vpn (Created by VPN wizard)"
        set keylifeseconds 3600
    next
end

config vpn ipsec phase1-interface
    edit "vpn"
        set type dynamic
        set interface "wan1"
        set peertype any
        set proposal aes256-md5 3des-sha1 aes192-sha1
        set comments "VPN: vpn (Created by VPN wizard)"
        set dhgrp 2
        set wizard-type dialup-windows
        set psksecret ENC PwAIdqYwH1hYEhfE7zlsHAc+Q+eNeNwNLEd2Ed6crj5B37hYPvXA55JqlMbLlGWaRRfrtklLOBMIcKj7OlzK3tmsVv9PrdqbJG/muTuYOd2yAMGD6mITZoXMLj27HSEKWXBoce8NJhydws39ZhG8xmidciMYityZcQ5cEZMtUYju0nE9Gf2laB/zaeJZGtLV5zciag==
    next
end

config vpn l2tp
    set eip 10.1.5.123
    set sip 10.1.5.1
    set status enable
    set usrgrp "ldap_group"
end

config user group
    edit "ldap_group"
        set member "nas"
        config match
            edit 1
                set server-name "nas"
                set group-name "cn=vpn,cn=groups,dc=****,dc=****,dc=****"
            next
        end
    next
end

post edited by secret104278 - 2019/09/21 10:28:41
#5
emnoc
Expert Member
  • Total Posts : 5301
  • Scores: 347
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: LDAP only work with Cisco IPsec but L2TP/IPsec on Fortigate 2019/09/21 11:48:47 (permalink)
0
And "nas" is it a "ldap-server"  or "radius" ? Did you do the test diag cmd in the example sent earlier?
 
Ken Felix

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#6
secret104278
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/09/21 01:17:40
  • Status: offline
Re: LDAP only work with Cisco IPsec but L2TP/IPsec on Fortigate 2019/09/21 11:54:06 (permalink)
0
The "NAS" is the LDAP server as well as RADIUS server. It is a Network Attached Storage with special OS and a lot apps.

I have test that diag command and it works well
#7
xsilver
Expert Member
  • Total Posts : 444
  • Scores: 99
  • Reward points: 0
  • Joined: 2015/02/02 03:22:58
  • Location: EMEA
  • Status: offline
Re: LDAP only work with Cisco IPsec but L2TP/IPsec on Fortigate 2019/09/23 01:08:16 (permalink)
0
Hi,
 
Due to nature of the PPP protocol, we do support LDAP authentication on PPTP/L2TP only when PAP authentication protocol is used.
The LDAP based authentication for handshake protocols as CHAP/MSCHAP/MSCHAPv2 on PPP link types is not possible due to technology limitation.
As there is no plain text password available, FortiGate is unable to construct proper responses for handshake authentication types.
And authentication data provided by client do not contain password, so FortiGate has nothing to construct dialog towards LDAP as well.
 
According to my notes it was written in official documentation...
For example "FortiOS Handbook - Authentication" [ISBN 01-526-122870-20160309]
page 85 , chapter "Configuring authentication of L2TP VPN users/user groups"
http://docs.fortinet.com/uploaded/files/1937/fortigate-authentication-52.pdf  (outdated)
--- cit ---
"LDAP user authentication is supported for PPTP, L2TP, IPSec VPN, and firewall authentication.
However, with PPTP, L2TP, and IPsec VPN, PAP (Packet Authentication Protocol) is
supported, while CHAP (Challenge Handshake Authentication Protocol) is not.
--- cit ---
 
Therefore if your PPTP client does not use PAP, then he will fail in authentication towards LDAP user group.
For example MS Windows or Android 2.3.5 clients uses MSCHAP/MSCHAPv2 as default protocol for credentials transfer.
I had link to page describing how to set PAP in L2TP native MSFT supplicant, but it's outdated.
If possible, I would go for full IPSec and not to L2TP, which I do not consider secure anymore.
 

Kind Regards,
Tomas
#8
Jump to:
© 2019 APG vNext Commercial Version 5.5