Hi
We are using Fortigate IPSEC Client VPN with Forticlient with PrivacyIdea+Freeradius and and LDAP (UCS)
This works pretty fine with IKEv1
Now we tried to change the VPN to IKEv2 but it seems there is a problem with Forti.
It does not works as expected
Forti Error
ike 0:dial-dhcp-mun2: EAP failed for user "mtest"
ike 0:dial-dhcp-mun2: EAP response is empty
ike 0:dial-dhcp-mun2: connection expiring due to EAP failure
Radius Error
Wed Jun 5 15:10:26 2024 : Info: rlm_perl: privacyIDEA Result status is true!
Wed Jun 5 15:10:26 2024 : Info: rlm_perl: privacyIDEA access denied for mtest realm=‘vpn’
PI Error
[2024-06-05 15:10:26,067][25774][140054992402304][INFO][privacyidea.lib.user:260] user 'mtest' found in resolver 'ucs_fw-vpns'
[2024-06-05 15:10:26,067][25774][140054992402304][INFO][privacyidea.lib.user:262] userid resolved to 'dc897b5c-81cb-103d-8acb-fb3e04db8ef2'
[2024-06-05 15:10:26,124][25774][140054992402304][INFO][privacyidea.lib.user:430] User 'mtest' from realm 'vpn' tries to authenticate
[2024-06-05 15:10:26,128][25774][140054992402304][WARNING][privacyidea.lib.resolvers.LDAPIdResolver:394] failed to check password for 'dc897b5c-81cb-103d-8acb-fb3e04db8ef2'/'uid=mtest,cn=users,ou=xxxxx': LDAPPasswordIsMandatoryError('password is mandatory in simple bind')
I have changed to the correct config on the Forti but it seems it uses another protocol as IKEv1 to interact with the Radius and therefore the response is not correct:
set eap enable
set eap-identity send-request
set authusrgrp "radius_vpn"
I have no idea where to dig further, maybe someone was successful with such a config