EMS-Managed FortiClient Sends EAP NAK on IKEv2 EAP-SAML IPsec VPN — Non-EMS Client Works

ENVIRONMENT
FortiOS: 7.6.x (FortiGate 120G)
FortiClient EMS: 7.4.x (FortiCloud SaaS)
FortiClient: 7.4.7 (Windows)
Authentication: IKEv2 EAP-SAML via Microsoft Entra ID

---

ISSUE

FortiClient endpoints managed by EMS fail to complete IKEv2 IPsec VPN tunnel establishment after successful SAML authentication. The EMS-managed client sends an EAP NAK (type 08) in response to the FortiGate's EAP Identity Request, causing the FortiGate to tear down the IKE SA with 'unexpected payload type 41'.

A non-EMS-managed FortiClient with an identical manually-configured tunnel connects successfully every time. The failure is specific to EMS-managed clients.

---

FORTIGATE IKE DEBUG (EMS-MANAGED CLIENT)

The sequence on every EMS-managed connection attempt:

  responder received AUTH msg
  responder preparing EAP identity request
  responder received EAP msg
  unexpected payload type 41
  schedule delete of IKE SA
  connection expiring due to phase1 down

The client response decodes as EAP type 08 (EAP NAK) — the client is rejecting the EAP method offered by the FortiGate.

---

ROOT CAUSE IDENTIFIED

The EMS endpoint profile XML contains a mandatory <eap_method> field under vpn > ipsecvpn > connections > ike_settings. The EMS GUI exposes only two options for this field: MSCHAPv2 and TTLS. Neither is correct for IKEv2 EAP-SAML.

Attempting to set <eap_method> to 0 or remove the element entirely produces a validation error:

  "vpn > ipsecvpn > connections > IAM UK > ike_settings > eap_method: invalid value 0"

The non-EMS client works because it has no <eap_method> constraint and negotiates the EAP method freely.

EMS does not expose EAP-SAML as a valid <eap_method> option, making it impossible to push a working IKEv2 EAP-SAML IPsec VPN configuration via an EMS endpoint profile.

---

TROUBLESHOOTING PERFORMED

- Confirmed authusrgrp set correctly on FortiGate phase1 (VPN_Users group with SAML server member)
- Tested all available <eap_method> values via EMS GUI (MSCHAPv2, TTLS) — EAP NAK on both
- Attempted to remove <eap_method> element entirely via XML edit — validation error, EMS rejects
- Attempted <eap_method>0</eap_method> — validation error
- Disabled certificate auth settings in EMS XML (usewincert, use_win_current_user_cert etc.) — no impact
- Tested use_gui_saml_auth 0 and 1 — no impact
- Confirmed ems-sn-check disabled on FortiGate phase1
- Confirmed azure-ad-autoconnect disabled on FortiGate phase1
- Confirmed EMS connector healthy: WebSocket connected, API calls succeeding
- Confirmed endpoint has valid online ec-shm record
- Confirmed firewall policy has no ZTNA tag or posture enforcement
- eap-exclude-peergrp not available on FortiOS 7.6.x

---

QUESTIONS

1. Is there a supported <eap_method> value for EAP-SAML in FortiClient EMS 7.4.x endpoint profiles?
2. Is this a known limitation or defect in EMS 7.4.x?
3. Is there any workaround to push a working IKEv2 EAP-SAML IPsec VPN tunnel via EMS without the <eap_method> constraint blocking negotiation?

Happy to share full IKE debug output and EMS profile XML if helpful.