Fortinet black logo

Handbook

Using XAuth authentication

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:100552
Download PDF

Using XAuth authentication

Extended authentication (XAuth) increases security by requiring the remote dialup client user to authenticate in a separate exchange at the end of Phase 1. XAuth draws on existing FortiGate user group definitions and uses established authentication mechanisms such as PAP, CHAP, RADIUS, and LDAP to authenticate dialup clients. You can configure a FortiGate unit to function either as an XAuth server or an XAuth client. If the server or client is attempting a connection using XAuth and the other end is not using XAuth, the failed connection attempts that are logged will not specify XAuth as the reason.

XAuth server

A FortiGate unit can act as an XAuth server for dialup clients. When the Phase 1 negotiation completes, the FortiGate unit challenges the user for a user name and password. It then forwards the user’s credentials to an external RADIUS or LDAP server for verification.

If the user records on the RADIUS server have suitably configured Framed‑IP‑Address fields, you can assign client virtual IP addresses by XAuth instead of from a DHCP address range. See Assigning VIPs by RADIUS user group.

The authentication protocol to use for XAuth depends on the capabilities of the authentication server and the XAuth client:

  • Select PAP Server whenever possible.
  • You must select PAP Server for all implementations of LDAP and some implementations of Microsoft RADIUS.
  • Select Auto Server when the authentication server supports CHAP Server but the XAuth client does not. The FortiGate unit will use PAP to communicate with the XAuth client and CHAP to communicate with the authentication server. You can also use Auto Server to allows multiple source interfaces to be defined in an IPsec/IKE policy

Before you begin, create user accounts and user groups to identify the dialup clients that need to access the network behind the FortiGate dialup server. If password protection will be provided through an external RADIUS or LDAP server, you must configure the FortiGate dialup server to forward authentication requests to the authentication server.

Authenticating a dialup user group using XAuth settings
  1. At the FortiGate dialup server, go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
  2. Select Convert To Custom Tunnel.
  3. Edit XAUTH, select the Type setting, which determines the type of encryption method to use between the XAuth client, the FortiGate unit and the authentication server. Select one of the following options:
    • Disabled — Disables XAuth settings.
    • PAP Server — Password Authentication Protocol.
    • CHAP Server — Challenge-Handshake Authentication Protocol.
    • Auto Server — Use PAP between the XAuth client and the FortiGate unit, and CHAP between the FortiGate unit and the authentication server.
  4. From the User Group list, select the user group that needs to access the private network behind the FortiGate unit. The group must be added to the FortiGate configuration before it can be selected here. For multiple user groups to be defined in the IPsec/IKE policy, select Inherit from policy.
  5. Select OK.
  6. Create as many policies as needed, specifying Source User(s) and Destination Address.
    For example, one policy could have user1 have access to test_local_subnet_1, while user2 has access to test_local_subnet_2.

note icon

When XAuth settings are enabled, Inherit from policy is only available under PAP Server and CHAP Server, not Auto Server. Because of this, only one user group may be defined for Auto Server.

XAuth client

If the FortiGate unit acts as a dialup client, the remote peer, acting as an XAuth server, might require a username and password. You can configure the FortiGate unit as an XAuth client, with its own username and password, which it provides when challenged.

Configuring the FortiGate dialup client as an XAuth client
  1. At the FortiGate dialup client, go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
  2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).
  3. Under XAuth, select Enable as Client.
  4. In the Username field, type the FortiGate PAP, CHAP, RADIUS, or LDAP user name that the FortiGate XAuth server will compare to its records when the FortiGate XAuth client attempts to connect.
  5. In the Password field, type the password to associate with the user name.
  6. Select OK.

Using XAuth authentication

Extended authentication (XAuth) increases security by requiring the remote dialup client user to authenticate in a separate exchange at the end of Phase 1. XAuth draws on existing FortiGate user group definitions and uses established authentication mechanisms such as PAP, CHAP, RADIUS, and LDAP to authenticate dialup clients. You can configure a FortiGate unit to function either as an XAuth server or an XAuth client. If the server or client is attempting a connection using XAuth and the other end is not using XAuth, the failed connection attempts that are logged will not specify XAuth as the reason.

XAuth server

A FortiGate unit can act as an XAuth server for dialup clients. When the Phase 1 negotiation completes, the FortiGate unit challenges the user for a user name and password. It then forwards the user’s credentials to an external RADIUS or LDAP server for verification.

If the user records on the RADIUS server have suitably configured Framed‑IP‑Address fields, you can assign client virtual IP addresses by XAuth instead of from a DHCP address range. See Assigning VIPs by RADIUS user group.

The authentication protocol to use for XAuth depends on the capabilities of the authentication server and the XAuth client:

  • Select PAP Server whenever possible.
  • You must select PAP Server for all implementations of LDAP and some implementations of Microsoft RADIUS.
  • Select Auto Server when the authentication server supports CHAP Server but the XAuth client does not. The FortiGate unit will use PAP to communicate with the XAuth client and CHAP to communicate with the authentication server. You can also use Auto Server to allows multiple source interfaces to be defined in an IPsec/IKE policy

Before you begin, create user accounts and user groups to identify the dialup clients that need to access the network behind the FortiGate dialup server. If password protection will be provided through an external RADIUS or LDAP server, you must configure the FortiGate dialup server to forward authentication requests to the authentication server.

Authenticating a dialup user group using XAuth settings
  1. At the FortiGate dialup server, go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
  2. Select Convert To Custom Tunnel.
  3. Edit XAUTH, select the Type setting, which determines the type of encryption method to use between the XAuth client, the FortiGate unit and the authentication server. Select one of the following options:
    • Disabled — Disables XAuth settings.
    • PAP Server — Password Authentication Protocol.
    • CHAP Server — Challenge-Handshake Authentication Protocol.
    • Auto Server — Use PAP between the XAuth client and the FortiGate unit, and CHAP between the FortiGate unit and the authentication server.
  4. From the User Group list, select the user group that needs to access the private network behind the FortiGate unit. The group must be added to the FortiGate configuration before it can be selected here. For multiple user groups to be defined in the IPsec/IKE policy, select Inherit from policy.
  5. Select OK.
  6. Create as many policies as needed, specifying Source User(s) and Destination Address.
    For example, one policy could have user1 have access to test_local_subnet_1, while user2 has access to test_local_subnet_2.

note icon

When XAuth settings are enabled, Inherit from policy is only available under PAP Server and CHAP Server, not Auto Server. Because of this, only one user group may be defined for Auto Server.

XAuth client

If the FortiGate unit acts as a dialup client, the remote peer, acting as an XAuth server, might require a username and password. You can configure the FortiGate unit as an XAuth client, with its own username and password, which it provides when challenged.

Configuring the FortiGate dialup client as an XAuth client
  1. At the FortiGate dialup client, go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
  2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).
  3. Under XAuth, select Enable as Client.
  4. In the Username field, type the FortiGate PAP, CHAP, RADIUS, or LDAP user name that the FortiGate XAuth server will compare to its records when the FortiGate XAuth client attempts to connect.
  5. In the Password field, type the password to associate with the user name.
  6. Select OK.