Feature request: EAP-TTLS/PAP support for FortiGate IPsec/IKEv2 integrations (PAP deprecated/removed) #56
nkarakasuk
started this conversation in
General
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hi TinyRadius maintainers,
We are using TinyRadius as our RADIUS backend for Fortinet FortiGate VPN integrations. Recently, we noticed that in newer FortiGate/FortiClient versions, PAP authentication is no longer supported for certain IPsec/IKEv2 scenarios, and Fortinet now requires using an EAP-based method instead.
According to Fortinet documentation/configuration, FortiGate enforces one of the following options:
EAP-MSCHAPv2 (default)
EAP-TTLS/PAP
However, EAP-MSCHAPv2 depends on NTLM/MSCHAPv2 validation via Microsoft AD/DC, and we are concerned that Microsoft may further restrict or deprecate NTLM-based authentication methods in the future. For long-term compatibility, we would like to support EAP-TTLS/PAP as an alternative.
Request
Do you have any roadmap or planned work for implementing EAP-TTLS/PAP support in TinyRadius?
If not, would you be open to a contribution or design discussion around adding it?
Thanks in advance.
Beta Was this translation helpful? Give feedback.
All reactions