Anyone successfull with Fortigate IKEv2 and LDAP?


We are using Fortigate IPSEC Client VPN with Forticlient with PrivacyIdea+Freeradius and and LDAP (UCS)

This works pretty fine with IKEv1
Now we tried to change the VPN to IKEv2 but it seems there is a problem with Forti.
It does not works as expected

Forti Error

ike 0:dial-dhcp-mun2: EAP failed for user "mtest"
ike 0:dial-dhcp-mun2: EAP response is empty
ike 0:dial-dhcp-mun2: connection expiring due to EAP failure

Radius Error

Wed Jun 5 15:10:26 2024 : Info: rlm_perl: privacyIDEA Result status is true!
Wed Jun 5 15:10:26 2024 : Info: rlm_perl: privacyIDEA access denied for mtest realm=‘vpn’

PI Error

[2024-06-05 15:10:26,067][25774][140054992402304][INFO][privacyidea.lib.user:260] user 'mtest' found in resolver 'ucs_fw-vpns'
[2024-06-05 15:10:26,067][25774][140054992402304][INFO][privacyidea.lib.user:262] userid resolved to 'dc897b5c-81cb-103d-8acb-fb3e04db8ef2' 
[2024-06-05 15:10:26,124][25774][140054992402304][INFO][privacyidea.lib.user:430] User 'mtest' from realm 'vpn' tries to authenticate
[2024-06-05 15:10:26,128][25774][140054992402304][WARNING][privacyidea.lib.resolvers.LDAPIdResolver:394] failed to check password for 'dc897b5c-81cb-103d-8acb-fb3e04db8ef2'/'uid=mtest,cn=users,ou=xxxxx': LDAPPasswordIsMandatoryError('password is mandatory in simple bind')

I have changed to the correct config on the Forti but it seems it uses another protocol as IKEv1 to interact with the Radius and therefore the response is not correct:

        set eap enable
        set eap-identity send-request
       set authusrgrp "radius_vpn"

I have no idea where to dig further, maybe someone was successful with such a config

EAP does not work with OTP values.
Use PAP.

For more RADIUS setup read

Hmm ok then this will not work with Forti, as I found this on FortiDocs:

  • Ikev2 required an EAP framework for authenticities.

You might^TM be able to use PUSH authentication with PUSH wait with EAP.

This is all I can say.

I’m using EAP with RRAS VPN and push notification (in a POC deployment that has been dragging on forever, ~40 users, ~6 months). You’ll have to make some modifications, that I hope won’t get in the way of support once my project gets up and running again…

I’m also using MS CHAP v2 inside. Basically everything to match the default settings when an end user creates a VPN on Windows 10/11.

You will have to use push, OTP won’t work.

1 Like