Using XAuth authentication

Extended authentication (XAuth) increases security by requiring remote dialup client users to authenticate in a separate exchange at the end of phase 1. XAuth draws on existing FortiGate user group definitions and uses established authentication mechanisms such as PAP, CHAP, RADIUS, and LDAP to authenticate dialup clients. You can configure a FortiGate to function either as an XAuth server or client. If the server or client is attempting a connection using XAuth and the other end is not using XAuth, the failed connection attempts that are logged will not specify XAuth as the reason.

XAuth server

A FortiGate can act as an XAuth server for dialup clients. When the phase 1 negotiation completes, the FortiGate challenges the user for a user name and password. It then forwards the user’s credentials to an external RADIUS or LDAP server for verification.

If the user records on the RADIUS server have suitably configured Framed‑IP‑Address fields, you can assign client virtual IP addresses by XAuth instead of from a DHCP address range.

The authentication protocol you use for XAuth depends on the capabilities of the authentication server and the XAuth client:

  • Select PAP Server whenever possible.
  • You must select PAP Server for all implementations of LDAP and some implementations of Microsoft RADIUS.
  • Select Auto Server when the authentication server supports CHAP Server but the XAuth client does not. The FortiGate will use PAP to communicate with the XAuth client and CHAP to communicate with the authentication server. You can also use Auto Server to allow multiple source interfaces to be defined in an IPsec/IKE policy.

Before you begin, create user accounts and user groups to identify the dialup clients that need to access the network behind the FortiGate dialup server. If password protection will be provided through an external RADIUS or LDAP server, you must configure the FortiGate dialup server to forward authentication requests to the authentication server.

To configure XAuth to authenticate a dialup user group:
  1. On the FortiGate dialup server, go to VPN > IPsec Tunnels and create a new tunnel, or edit an existing one.
  2. Configure or edit the Network, Authentication, and Phase 1 Proposal sections as needed.
  3. In the XAUTH section, select the encryption method Type to use between the XAuth client, the FortiGate, and the authentication server.
  4. For User Group:
    1. Click Inherit from policy for multiple user groups defined in the IPsec/IKE policy, or
    2. Click Choose and in the dropdown, select the user group that needs to access the private network behind the FortiGate.

      Only one user group may be defined for Auto Server.

  5. Click OK.
  6. Create as many policies as needed, specifying the source user(s) and destination address.

XAuth client

If the FortiGate acts as a dialup client, the remote peer, acting as an XAuth server, might require a username and password. You can configure the FortiGate as an XAuth client with its own username and password, which it provides when challenged.

To configure the FortiGate dialup client as an XAuth clie