Troubleshooting Tip: Dial-up IPsec VPN (IKEv2) connection failure for RADIUS users due to username case mismatch

Description

This article describes an issue where a dial-up IPsec VPN (IKEv2) connection fails for RADIUS users when the username case does not match, even though case sensitivity is disabled on both the FortiGate and the RADIUS server.

Scope

FortiGate v7.x.

Solution

An IPsec dial-up VPN is configured using IKEv2 with RADIUS authentication. Two-factor authentication (2FA) is enabled for the user, and username case sensitivity is disabled.

Example configuration:

config user local
    edit "radius-1"
        set type radius
        set two-factor email
        set email-to "xzy@fortinet.com"
        set username-sensitivity disable
        set radius-server "RADIUS-HOME"
    next
end

config user radius
    edit "RADIUS-HOME"
        set server "10.10.80.4"
        set secret ENC ************
        set source-ip "10.10.80.1"
        set username-case-sensitive disable
    next
end

• VPN authentication is successful when using the username 'radius-1' (as configured on the FortiGate).

• VPN authentication fails when using 'Radius-1' (different case). In the failure case, the 2FA prompt is not triggered on FortiClient.

• The issue does not occur when using IKEv1.
  

The following logs are seen in the debug output when the username case does not match.

diagnose debug console timestamp enable
diagnose debug application fnbamd -1
diagnose debug application ike -1
diagnose debug application eap_proxy -1
diagnose debug enable
ike V=KPBSD-Edge:3:KP-VPNv2-ST:38260 EAP 1005096120437 result FNBAM_NEED_TOKEN
ike V=KPBSD-Edge:3:KP-VPNv2-ST: EAP requires token for user "Radius-1"
.
ike V=KPBSD-Edge:3:KP-VPNv2-ST:38260: responder preparing EAP pass through message
[1444] fnbamd_rads_destroy-
ike 3:KP-VPNv2-ST:38260: enc 0000000803BC00040706050403020107
ike 3:KP-VPNv2-ST:38260: out 72F9D9DFCDBC5E61B02A899F929D9D32E20232000000004000000503000003486143DF06C01DBA431DC390A11BAEAFEEDDC4FBCE997FF064C32E36A9A2ED9B7FE7E389ED3633E0C08CC9E4448E67CFE
ike V=KPBSD-Edge:3:KP-VPNv2-ST:38260: sent IKE msg (AUTH_RESPONSE): 10.123.240.2:4500->10.123.240.244:4500, len=80, vrf=0, id=c72f9d9dfcdbc5e6/1b02a899f929d9d3:00000004, if=25
.
ike V=KPBSD-Edge:3: comes 10.123.240.244:4500->10.123.240.2:4500,ifindex=25,vrf=0,len=116....
ike V=KPBSD-Edge:3: IKEv2 exchange=AUTH id=c72f9d9dfcdbc5e6/1b02a899f929d9d3:00000005 len=112
ike 3: in 72F9D9DFCDBC5E61B02A899F929D9D32E20230800000005000000702700005481F73306F99DE22FD79A1536EA0C3B133D29C5874C8780C60F21A1A0AD7CAF3A929A845ECF0887DB03A4906039670B4E7D22B36B01978CC
1C0B16101CDBDB2E8DEAD110371296FD4BAE0C639FA765B7D
ike V=KPBSD-Edge:3:KP-VPNv2-ST: HA state master(2)
ike 3:KP-VPNv2-ST:38260: dec C72F9D9DFCDBC5E61B02A899F929D9D32E202308000000050000004827000004000000280200000035281C7105B9ECB975F3306B024D138EA9DE0F645F11F38166E70FBA9C4728E9
ike V=KPBSD-Edge:3:KP-VPNv2-ST:38260: responder received EAP msg
ike V=KPBSD-Edge:3:KP-VPNv2-ST:38260: unexpected payload type 39
ike V=KPBSD-Edge:3:KP-VPNv2-ST:38260: schedule delete of IKE SA c72f9d9dfcdbc5e6/1b02a899f929d9d3
ike V=KPBSD-Edge:3:KP-VPNv2-ST:38260: scheduled delete of IKE SA c72f9d9dfcdbc5e6/1b02a899f929d9d3

This issue is currently under investigation by the development team. The article will be updated with the latest information once a fix is available.