Chapter 11 IPsec VPN for FortiOS 5.0 : Auto Key phase 1 parameters : Using XAuth authentication : Using the FortiGate unit as an XAuth server
  
Using the FortiGate unit as an XAuth server
A FortiGate unit can act as an XAuth server for dialup clients. When the phase 1 negotiation completes, the FortiGate unit challenges the user for a user name and password. It then forwards the user’s credentials to an external RADIUS or LDAP server for verification.
If the user records on the RADIUS server have suitably configured Framed‑IP‑Address fields, you can assign client virtual IP addresses by XAuth instead of from a DHCP address range. See “Assigning VIPs by RADIUS user group”.
The authentication protocol to use for XAuth depends on the capabilities of the authentication server and the XAuth client:
Select PAP whenever possible.
You must select PAP for all implementations of LDAP and some implementations of Microsoft RADIUS.
Select AUTO when the authentication server supports CHAP but the XAuth client does not. The FortiGate unit will use PAP to communicate with the XAuth client and CHAP to communicate with the authentication server.
Before you begin, create user accounts and user groups to identify the dialup clients that need to access the network behind the FortiGate dialup server. If password protection will be provided through an external RADIUS or LDAP server, you must configure the FortiGate dialup server to forward authentication requests to the authentication server. For information about these topics, see the FortiGate User Authentication Guide.
To authenticate a dialup user group using XAuth settings
1. At the FortiGate dialup server, go to VPN > IPsec > Auto Key (IKE).
2. In the list, select the Edit icon of a phase 1 configuration to edit its parameters for a particular remote gateway.
3. Select Advanced.
4. Under XAuth, select Enable as Server.
5. The Server Type setting determines the type of encryption method to use between the XAuth client, the FortiGate unit and the authentication server. Select one of the following options:
PAP—Password Authentication Protocol.
CHAP— Challenge-Handshake Authentication Protocol.
AUTO—Use PAP between the XAuth client and the FortiGate unit, and CHAP between the FortiGate unit and the authentication server.
6. From the User Group list, select the user group that needs to access the private network behind the FortiGate unit. The group must be added to the FortiGate configuration before it can be selected here.
7. Select OK.