L2TP OVER IPSEC authentication with LDAP failed. The client shows authentication failed.

Created: May 11, 2018 05:47:17Latest reply: May 11, 2018 20:57:57 926 1 1 0 0

Issue Description

Alarm Information

Debug aaa all information as below:

Jan 17 2018 10:42:15.635.15+08:00 TG25FW01 LDAP/7/DEBUG:[LDAP(Pkt):] Make a packet of user bind(UserDN:uid=eric,ou=People,dc=ico,dc=local ).

Jan 17 2018 10:42:15.635.16+08:00 TG25FW01 LDAP/7/DEBUG:[LDAP(Pkt):] status change to LDAP_FLAG_REQ_USR_BINDED.

Jan 17 2018 10:42:15.635.17+08:00 TG25FW01 LDAP/7/DEBUG:[LDAP(Err):] Bind failed. Error number is [49].

Jan 17 2018 10:42:15.635.18+08:00 TG25FW01 LDAP/7/DEBUG:[LDAP(Evt):] Receive a packet bind fail.

Jan 17 2018 10:42:15.635.19+08:00 TG25FW01 LDAP/7/DEBUG:[LDAP(Pkt):] Receive a packet of user bind result fail.

Jan 17 2018 10:42:15.635.20+08:00 TG25FW01 LDAP/7/DEBUG:[LDAP(Err):] BaseDN is empty.

Jan 17 2018 10:42:15.635.21+08:00 TG25FW01 LDAP/7/DEBUG:[LDAP(Err):] authentication rejected.

Handling Process

Do capture on firewall, finding the password it sent to LDAP is wrong.

1f0bcdb485264436985f073971e5de98

Root Cause

L2TP only support PAP authentication type but not support CHAP. (All firewall version)

Solution

Change authentication from CHAP to PAP, it is working fine.