Troubleshooting Tip: Group failing to matched due to DN exceeding 127 characters using IKEv2 with LDAP (EAP-TTLS)
| Description | This articles describes a known issue where users may fail to match a group if the DN characters exceed 127 characters causing subsequent groups to fail. |
| Scope | FortiGate. |
| Solution | When a user attempts to log into the IPSec VPN (IKEv2) with their LDAP credentials, the user may fail to match the groups due to a 127 character limit with EAP Proxy.
For example, the VPN Group requires the user to be a part of the following group.
config user group edit "VPN Group" set member "SAML" config match edit 1 set server-name "LDAP" set group-name "CN=group00018,OU=1234567890123456789012345678901234567890123456789012345678901234567890,DC=forti,DC=lab" next end next end
Running LDAP debugging shows the user 'forti2' is successfully returning the following groups:
FGT# diag test auth ldap LDAP forti2 fortinet
However, in the EAP debugging, no groups are returned:
diagnose debug app eap_proxy -1 diagnose debug enable .... .... 2025-08-28 02:09:45 [1206] __rad_rxtx-
This is due to the first group containing 128 characters. The subsequent groups will not be returned:
"CN=group00019-123456789123456789012345,OU=1234567890123456789012345678901234567890123456789012345678901234567890,DC=forti,DC=lab"
By removing a character from the DN and making it 127 characters long, the groups 'forti2' belong to are returned, which will allow the user to successfully match the group:
2025-08-28 02:09:02 [519] fnbamd_rad_get_vsas-FORTINET attr, type 1, val CN=group00019-12345678912345678901234,OU=1234567890123456789012345678901234567890123456789012345678901234567890,DC=forti,DC=lab
This known issue, 1182725 is scheduled to be fixed in FortiOS: 7.4.10, 7.6.5, 8.0.0. |