Technical Tip: IKEV2 certificate authentication (EAP) with remote RADIUS server fails

Description

This article describes that with FortiOS 6.2.3, IKEV2 certificate authentication (EAP) with remote Radius server does not work despite working correctly in earlier FortiOS versions.

Solution

Troubleshooting steps:
Run the following debugs:

diag debug reset
diag debug console timestamp enable
diag debug app fnbamd -1
diag debug app ike -1
diag debug app eap_proxy -1
diag debug enable

It would show that authentication is failing and the radius server is returning the result as 1.

[2459] fnbamd_auth_handle_radius_result <----- Result for RADIUS svr 'FAC' 10.10.10.5(1) is 1
[181] fnbamd_comm_send_result-Sending result 1 (error 0, nid 0) for req 1941161457
[724] destroy_auth_session-delete session 1941161457
[2733] handle_req-Rcvd abort req for 1941161457

Check debugs further and they will be showing the following error.

[1568] __radius_decode_mppe_key-Incorrect attribute length 50.
[1568] __radius_decode_mppe_key-Incorrect attribute length 50.

This is a known issue 0610390 in FortiOS 6.2.3 where the MPPE key uses only one specific size.

The issue is resolved in v6.2.5 and an upgrade to 6.2.5 is required to fix this.

Additionally:

RADIUS communication can be debugged with a packet capture very well. Either via a GUI packet capture on the respective port, typically 1812, or via CLI:

diag sniffer packet any 'port 1812' 6 0 l

Related Article:
Troubleshooting Tip Using the FortiOS built in packet sniffer.