FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
Somashekara_Hanumant
Article Id 191443

Article
Description:    This article describes how to configure FortiOS v5.2 and v5.4 IPSec dialup VPN between a FortiGate unit and the FortiClient software using a RADIUS server for user authentication.

Requirements: Fortigate and Forticlient
FortiGate (FortiOS v5.2 and v5.4)
FortiClient (Version 5.4)

Configure Radius Server:

On Version 5.2.0 onwards

User & Devices > Authentication > Radius Server > Create new >


Configure User name with 'Type' as Radius and create a Group called 'radius_grp' and select the 'user1'



Configure dialup IPSec VPN:



After creating the interface base dialup vpn, automatically Firewall policy will be created from 'radius_vpn' to 'port2' interface.



Configure the Forticlient:




Troubleshooting:

diag debug disable
diag debug reset
diag debug application ike -1
diag debug application fnbamd -1
diag debug enable


ike 0:radius_vpn_0:15: initiating XAUTH.
ike 0:radius_vpn_0:15: sending XAUTH request
ike 0:radius_vpn_0:15: enc F1D18748E306B7C8F5D921E906A1E94008100601AD2CF162000000540E000024788105BF21E64E429A7A060AFA8147587F3C2A0B286F800A56D1B16C0C43436A0000001401000D8CC088000040890000408A0000
ike 0:radius_vpn_0:15: out F1D18748E306B7C8F5D921E906A1E94008100601AD2CF1620000005CC419AD9E221E4E3A88909200FF38336B0FC4742159F4F0E2DA821A2B2EE2E28CAD2A3185A2E41DC541D80CB3C96F87BB44E389AC749A17D5CE2A379A013F8BB1
ike 0:radius_vpn_0:15: sent IKE msg (cfg_send): 10.0.18.60:500->172.26.73.110:500, len=92, id=f1d18748e306b7c8/f5d921e906a1e940:ad2cf162
ike 0:radius_vpn_0:15: peer has not completed XAUTH exchange
ike 0: comes 172.26.73.110:500->10.0.18.60:500,ifindex=2....
ike 0: IKEv1 exchange=Mode config id=f1d18748e306b7c8/f5d921e906a1e940:ad2cf162 len=108
ike 0: in F1D18748E306B7C8F5D921E906A1E94008100601AD2CF1620000006CC19AB6F8C5D0BD4519B8681CBCA886EEE796BD94D72DA5158AF36D2F06F39591CEBE1B0B1C720294D068DA16A02EF1437BEC37EDFE08571D6CFA9A4A9A290C7B2620A1EDF30695482C0D4EBF81734E50
ike 0:radius_vpn_0:15: dec F1D18748E306B7C8F5D921E906A1E94008100601AD2CF1620000006C0E000024055C850F6080371AED9A31A61CBD292F70F7D4944178C5E6A44B3B464FB4BAF90000002102000D8CC0880000408900057573657231408A00087040737377307264BBA9D0B6BC9DE5DA8BC10A
ike 0:radius_vpn_0:15: received XAUTH_USER_NAME 'user1' length 5
ike 0:radius_vpn_0:15: received XAUTH_USER_PASSWORD length 8
ike 0:radius_vpn_0: XAUTH user "user1"
ike 0:radius_vpn: auth group radius_grp
ike 0:radius_vpn_0: XAUTH 1571178739 pending
fnbamd_fsm.c[1890] handle_req-Rcvd auth req 1571178739 for user1 in radius_grp opt=00000000 prot=5
fnbamd_fsm.c[336] __compose_group_list_from_req-Group 'radius_grp'
fnbamd_pop3.c[573] fnbamd_pop3_start-user1
fnbamd_cfg.c[500] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'lab_radius' for usergroup 'radius_grp' (6)
fnbamd_radius.c[1060] fnbamd_radius_auth_send-Compose RADIUS request
fnbamd_auth.c[2260] fnbamd_auth_handle_radius_result-Passed group matching
fnbamd_fsm.c[867] find_matched_usr_grps-Group 'radius_grp' passed group matching
fnbamd_fsm.c[868] find_matched_usr_grps-Add matched group 'radius_grp'(6)
fnbamd_comm.c[169] fnbamd_comm_send_result-Sending result 0 for req 1571178739
fnbamd_fsm.c[565] destroy_auth_session-delete session 1571178739
ike 0:radius_vpn_0:15: XAUTH 1571178739 result 0
ike 0:radius_vpn_0: XAUTH succeeded for user "user1" group "radius_grp"