Migration from SSL VPN to IKEv2 IPSEC dialup VPN for forticlient - with Cisco Duo Proxy VM for 2FA 'wrong credentials, eap failed'
Hi so we still havent found a solution yet.
N.B. - Final Goal - is to have the same SSLVPN dialup discontinued - with new IPSEC Dialup IKEv2 - Firewall rules that control which AD User - user groups - can access which resources.
This works when using local firewall users - but any sort of remote LDAP is failing. - tried AD LDAP that is working fine for logging into firewall. or the cisco duo radius server - from research and feedback from cisco staff - it should be using LDAP mode “ad_client + ldap_server_auto > this CAN send group information from AD to the FortiGate device”
The thing is i dont think this is a Cisco duo problem but rather a fortigate config/compatibility problem.
because if i create local firewall users - and add them into a group - attach them to the below IPSEC authentication - u can login and do the VPN connection. but as soon as u try referencing a remote LDAP - in my case a valid working AD Server or RADIUS Server - the EAP auth failed error comes. - but the same LDAP Server works just fine for everything else. like captive portal & internet browsing.
see below error:
2026-05-12 13:41:51 [1041] __ldap_auth_ctx_prep-Credential cannot be empty
2026-05-12 13:41:51 [439] ldap_start-Failed to init ldap ctx for NITS AD On Premise
2026-05-12 13:41:51.809239 ike V=root:0:SSLVPN_Dialup:444806: responder received EAP msg
2026-05-12 13:41:51.809339 ike V=root:0:SSLVPN_Dialup:444806: send EAP message to FNBAM
2026-05-12 13:41:51.809433 ike V=root:0:SSLVPN_Dialup:444806: initiating EAP authentication
2026-05-12 13:41:51.809532 ike V=root:0:SSLVPN_Dialup: EAP user "michael"
2026-05-12 13:41:51.809621 ike V=root:0:SSLVPN_Dialup: auth group Fortinet-AD-Admins
2026-05-12 13:41:51.809795 ike V=root:0:SSLVPN_Dialup: EAP 26341166792742 pending
2026-05-12 13:41:51 [1774] handle_req-Rcvd auth req 26341166792742 for michael in Fortinet-AD-Admins opt=00000000 prot=7 svc=9
2026-05-12 13:41:51 [336] __compose_group_list_from_req-Group 'Fortinet-AD-Admins', type 1
2026-05-12 13:41:51 [511] create_auth_session-Session created for req id 26341166792742
2026-05-12 13:41:51 [597] fnbamd_cfg_get_tac_plus_list-
2026-05-12 13:41:51 [552] __fnbamd_cfg_get_tac_plus_list_by_group-
2026-05-12 13:41:51 [564] __fnbamd_cfg_get_tac_plus_list_by_group-Group 'Fortinet-AD-Admins'
2026-05-12 13:41:51 [613] fnbamd_cfg_get_tac_plus_list-Total tac+ servers to try: 0
2026-05-12 13:41:51 [857] fnbamd_cfg_get_ldap_list-
2026-05-12 13:41:51 [773] __fnbamd_cfg_get_ldap_list_by_group-
2026-05-12 13:41:51 [351] fnbamd_ldap_get-vfid=0, name='NITS AD On Premise'
2026-05-12 13:41:51 [835] __fnbamd_cfg_get_ldap_list_by_group-Loaded LDAP server 'NITS AD On Premise' for usergroup 'Fortinet-AD-Admins' (2)
2026-05-12 13:41:51 [873] fnbamd_cfg_get_ldap_list-Total LDAP servers to try: 1
2026-05-12 13:41:51 [1898] fnbamd_ldap_auth_ctx_init-User: michael, password query: 1, group list query: 1, group only: 0, UPN query: 0, user domain query: 0
2026-05-12 13:41:51 [891] fnbamd_ldap_get_auth_server-
2026-05-12 13:41:51 [1041] __ldap_auth_ctx_prep-Credential cannot be empty
2026-05-12 13:41:51 [439] ldap_start-Failed to init ldap ctx for NITS AD On Premise
2026-05-12 13:41:51 [317] radius_start-eap_local=1
2026-05-12 13:41:51 [891] fnbamd_cfg_get_radius_list-
2026-05-12 13:41:51 [839] __fnbamd_cfg_get_radius_list_by_group-
2026-05-12 13:41:51 [853] __fnbamd_cfg_get_radius_list_by_group-Group 'Fortinet-AD-Admins'
2026-05-12 13:41:51 [813] __rad_auth_ctx_insert_all_usergroup-
2026-05-12 13:41:51 [456] fnbamd_rad_get-vfid=0, name='EAP_PROXY'
2026-05-12 13:41:51 [906] fnbamd_cfg_get_radius_list-Loaded RADIUS server 'EAP_PROXY'
2026-05-12 13:41:51 [913] fnbamd_cfg_get_radius_list-Total rad servers to try: 1
2026-05-12 13:41:51 [931] fnbamd_rad_get_auth_server-
2026-05-12 13:41:51 [1483] fnbamd_rad_auth_ctx_init-User ha_relay? 0.
2026-05-12 13:41:51 [301] fnbamd_radius_get_next_auth_prot-Next auth prot EAP
2026-05-12 13:41:51 [1402] __auth_ctx_svr_push-Added addr 127.0.0.1:1812 from rad 'EAP_PROXY'
2026-05-12 13:41:51 [1225] __fnbamd_rad_get_next_addr-Next available address of rad 'EAP_PROXY': 127.0.0.1:1812.
2026-05-12 13:41:51 [1420] __auth_ctx_start-Connection starts EAP_PROXY:127.0.0.1, addr 127.0.0.1:1812 proto: UDP
2026-05-12 13:41:51 [488] fnbamd_radius_socket_autobind-radius sport 2135
i followed instructions provided to configure it in below mode:
- ad_client + ldap_server_auto > this CAN send group information from AD to the FortiGate device
@DuoKristina
See below snippet of Duo config:
[ad_client]
host=<LDAP_SERVER_IP>
service_account_username=<SERVICE_ACCOUNT_USERNAME>
service_account_password=<SERVICE_ACCOUNT_PASSWORD>
search_dn=DC=<DOMAIN>,DC=<TLD>,DC=<TLD>
transport=ldaps
port=636
ssl_verify_hostname=false
#security_group_dn=CN=<SECURITY_GROUP>,OU=<OU>,DC=<DOMAIN>,DC=<TLD>,DC=<TLD>
[ldap_server_auto]
client=ad_client
ikey=<DUO_IKEY>
skey=<DUO_SKEY>
api_host=<DUO_API_HOST>
failmode=safe
exempt_ou_1=CN=<EXEMPT_USER>,DC=<DOMAIN>,DC=<TLD>,DC=<TLD>
exempt_primary_bind=false
ssl_key_path=C:\Program Files\Duo Security Authentication Proxy\conf\certs\ldap_server.key
ssl_cert_path=C:\Program Files\Duo Security Authentication Proxy\conf\certs\ldap_server.pemFortigate is running -
| v7.6.6 build3652 (Mature) |
config vpn ipsec phase1-interface
edit "SSLVPN_Dialup"
set type dynamic
set interface "INTERNET_MPLS"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes256-sha256
set dhgrp 14
set eap enable
set eap-identity send-request
set wizard-type dialup-forticlient
set authusrgrp "Fortinet-AD-Admins"
set transport udp
set ipv4-start-ip 10.213.134.10
set ipv4-end-ip 10.213.134.250
set ipv4-netmask 255.255.255.0
set dns-mode auto
set save-password enable
set psksecret *REDACTED*
next
end