Skip to main content
akanibek
Staff
akanibek
Staff
April 27, 2026

Technical Tip: FortiGate - IPsec dial-up SAML-based errors

  • April 27, 2026
  • 0 replies
  • 117 views

Description

This article describes how to resolve an issue getting during IPsec dialup tunnel with an SAML-based authentication method.

Scope

FortiOS 7.2.X, 7.4.X, 7.6.X, 8.0.XGA.

All supported versions of FortiClient.

Solution

An initial IPsec setup with an SAML-based authentication method can be found at the bottom of this article (see Related articles).

While configuring an IPsec tunnel with SAML-based authentication, errors such as 'EAP-MSCHAPV2: Invalid NT-Response', 'EAP-MSCHAPV2: Failure Request Message', 'EAP failed for user' may emerge.

To grab proper debug logs, run the following commands on FortiGate:

diagnose debug reset
diagnose debug appl ike -1
diagnose debug appl saml -1
diagnose debug console time enable
diagnose vpn ike log filter clear
diagnose vpn ike log filter rem-addr4 X.X.X.X <<< remote dial-up client's public IP

diagnose debug enable


Debug output snippet:

2026-04-27 09:55:52 1777276552.873226: 2026-04-27 09:55:52 EAP: EAP entering state WAIT_FNBAM_AUTH
2026-04-27 09:55:52 1777276552.876135: 2026-04-27 09:55:52 eap_comm_client_read:707, type:0, size:928
2026-04-27 09:55:52 1777276552.884536: 2026-04-27 09:55:52 EAP-MSCHAPV2: Invalid NT-Response
2026-04-27 09:55:52 1777276552.887442: 2026-04-27 09:55:52 EAP: EAP entering state METHOD_REQUEST
2026-04-27 09:55:52 1777276552.890896: 2026-04-27 09:55:52 EAP: building EAP-Request: Identifier 241
2026-04-27 09:55:52 1777276552.896634: 2026-04-27 09:55:52 EAP-MSCHAPV2: Failure Request Message - hexdump_ascii(len=57):
..
..
2026-04-27 09:55:53 1777276553.024179: 2026-04-27 09:55:53 RADIUS SRV: Reply to 127.0.0.1:8852
2026-04-27 09:55:53.027192 ike V=root:0:fac-saml-vpn:338303 EAP 9419086397485 result FNBAM_DENIED
2026-04-27 09:55:53.028162 ike V=root:0:fac-saml-vpn: EAP failed for user "24CCC56977304CE5BF4906284C0BEFD4"


This error may occur due to mismatching atribute names between LDP and FortiGate as the Service Provider. For instance, in the example above, FortiGate's SAML attributes are as follows:

config user saml
   edit "FAC-dialup-SAML"
      set user-name "username"
      set group-name "groupname" <<<<----
      set digest-method sha1
   next
end


IdP (FortiAuthenticator in this example) has other attributes configured. Attributes should match as appropriate:

1d381d3c.png



Related articles:

SAML-based authentication for FortiClient remote access dialup IPsec VPN clients

Technical Tip: How to configure Microsoft Entra ID SAML authentication for dial-up IPsec VPN

    Terms & ConditionsAccessibility statement