Hot!IPsec tunnel failed to UP with FSSO policy (UP with radius policy)

Author
dabens
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/09/09 13:49:54
  • Status: offline
2020/09/29 01:22:51 (permalink)
0

IPsec tunnel failed to UP with FSSO policy (UP with radius policy)

  Hi all,
I'm using a forticlient solution in order to authenticate IPSEC FSSO users.
Fortiauthenticator is my radius and FSSO agent.
 
FAC and Fortigate are correctlly configured and I can see the list of connected FSSO users (on the FAC and Fortigate)
 
You will find attached some configuration screens
 + FSSO policy : https://ibb.co/LNPnrPB
and FSSO users list on Fortigate: https://ibb.co/7S6kMD1
 
 
The output of debug IKE command:
My Ipsec tunnel is Up With Radius policy (Xauth OK) 

ike 1: comes 10.80.80.20:500->10.X.X.4:500,ifindex=3
ike 1: IKEv1 exchange=Mode config id=6b2b33b0eac33219/d9f1d787cf68fd07:208cccb9 len=108
ike 1:FTclientIPsec_0:74: received XAUTH_USER_NAME 'ipsecuser1' length 10
ike 1:FTclientIPsec_0:74: received XAUTH_USER_PASSWORD length 9
ike 1:FTclientIPsec_0: XAUTH user "ipsecuser1"
ike 1:FTclientIPsec: auth candidate group 'IPsec_Users' 5
ike 1:FTclientIPsec_0: XAUTH 1997335795 pending
ike 1:FTclientIPsec_0:74: XAUTH 1997335795 result 0
ike 1:FTclientIPsec_0: user 'ipsecuser1' authenticated group 'IPsec_Users' 5
ike 1:FTclientIPsec_0:74: sent IKE msg (cfg_send): 10.X.X.4:500->10.80.80.20:500, len=92, id=6b2b33b0eac33219/d9f1d787cf68fd07:bba13cd1
ike 1: comes 10.80.80.20:500->10.X.X.4:500,ifindex=3....
ike 1: IKEv1 exchange=Mode config id=6b2b33b0eac33219/d9f1d787cf68fd07:bba13cd1 len=76

 
The same Ipsec tunnel still down With FSSO policy (Xauth failed) => Same user, same password and user appears in FSSO users list

ike 1: comes 10.80.80.20:500->10.X.X.4:500,ifindex=3....
ike 1: IKEv1 exchange=Mode config id=836c37915428449c/6778f3a86c7b51db:6471a439 len=108
ike 1:FTclientIPsec_0:75: received XAUTH_USER_NAME 'ipsecuser1' length 10
ike 1:FTclientIPsec_0:75: received XAUTH_USER_PASSWORD length 9
ike 1:FTclientIPsec_0: XAUTH user "ipsecuser1"
ike 1:FTclientIPsec_0: XAUTH failed for user "ipsecuser1", retry(2).
ike 1:FTclientIPsec_0:75: sending XAUTH request

 
 
Windows defender is disabled on Windows clients...
 
It's possible to use FSSO with IPsec/SSL authentication?
 
Thank you for your suggestion.
 
 
post edited by dabens - 2020/09/30 02:01:40

Attached Image(s)

#1

0 Replies Related Threads

    Jump to:
    © 2020 APG vNext Commercial Version 5.5