XAuth user authentication

Extended authentication (XAuth) increases security for IKEv1 by requiring remote dialup client users to authenticate in a separate exchange at the end of phase 1. XAuth draws on existing FortiGate user group definitions and uses established authentication mechanisms such as PAP, CHAP, RADIUS, and LDAP to authenticate dialup clients. You can configure a FortiGate to function either as an XAuth server or client. If the server or client is attempting a connection using XAuth and the other end is not using XAuth, the failed connection attempts that are logged will not specify XAuth as the reason.

XAuth server

A FortiGate can act as an XAuth server for dialup clients. When the phase 1 negotiation completes, the FortiGate challenges the user for a user name and password. It then forwards the user’s credentials to an external RADIUS or LDAP server for verification.

The authentication protocol you use for XAuth depends on the capabilities of the authentication server and the XAuth client:

• Select CHAP Server whenever possible for higher challenge-response based security.

• Select PAP Server for all implementations of LDAP and some implementations of Microsoft RADIUS that do not support CHAP.

• Select Auto Server when the authentication server supports CHAP Server but the XAuth client does not. The FortiGate will use PAP to communicate with the XAuth client and CHAP to communicate with the authentication server. You can also use Auto Server to allow multiple source interfaces to be defined in an IPsec/IKE policy.

Before you begin, create user accounts and user groups to identify the dialup clients that need to access the network behind the FortiGate dialup server. If password protection will be provided through an external RADIUS or LDAP server, you must configure the FortiGate dialup server to forward authentication requests to the authentication server.

To configure XAuth to authenticate a dialup user group:

1. On the FortiGate dialup server, go to VPN > IPsec Tunnels and create a new tunnel, or edit an existing one.

2. Set Remote gateway to Dialup user.

3. Set IKE to Version 1.

4. Enable XAUTH and select the method to use between the XAuth client, the FortiGate, and the authentication server.

5. For User Group:

   1. Select Inherit from policy for multiple user groups defined in the IPsec/IKE policy, or

   2. Select Specify and, in the dropdown, select the user group that needs to access the private network behind the FortiGate.

      Only one user group may be defined for Auto Server.

6. Configure the remaining Network, Authentication, and Phase 1 Proposal options as needed.

7. Click OK.

8. Create as many policies as needed, specifying the source user(s) and destination address.

XAuth client

If the FortiGate acts as a dialup client, the remote peer, acting as an XAuth server, might require a username and password. You can configure the FortiGate as an XAuth client with its own username and password, which it provides when challenged.

To configure the FortiGate dialup client as an XAuth client:

1. On the FortiGate dialup client, go to VPN > IPsec Tunnels and create a new tunnel, or edit an existing one.

2. Set Remote gateway to either Static IP address or Dynamic DNS.

3. Set IKE to Version 1.

4. Enable XAUTH, XAuth client is selected as the only option.

5. Enter the Username and Password that will be used to authenticate this FortiGate.

6. Configure the remaining Network, Authentication, and Phase 1 Proposal options as needed.

7. Click OK.