Skip to main content
ideait
ideait
Explorer
February 24, 2026
Solved

VPN IPsec Dialup IKE v2 authentication remote group Fauth Radius Mschap2

  • February 24, 2026
  • 1 reply
  • 797 views

In a custom dial-up VPN configuration

With ike v2 and mschap2 enabled

I need to match users who connect to the VPN with their respective groups via radius attributes passed by Forti Authenticator.

Currently, if I configure the IPSec tunnel with ike v1

Xauth within the policies, it works.

However, if I enable IKE v2, I connect to the VPN, and authentication works even with 2FA.

Nevertheless, the user is not matched on Fortigate because I do not see them in the list:
diagnose firewall auth list

Therefore, the user is not associated with the remote radius group membership in Forti Authenticator.

Is it possible to emulate the behavior of xauth while maintaining the relevant remote groups of Forti Authenticator within the policies, even with IKE v2?

I would like to avoid creating x pahse1 interfaces for x groups on my Fauth that belong to two different LDAP servers.

Best answer by ideait

I solved the problem that was bothering me

ipsec phase1-interface:
set type dynamic
set interface “wan1”
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes256-sha256 aes256-sha384
set negotiate-timeout 120
set dhgrp 14
set eap enable
set eap-identity send-request
set assign-ip-from name
set dns-mode auto

while in
config user radius
edit “FortiAuthenticator”

I had: set all-usergroup enable

By disabling this parameter now in: diagnose firewall auth list

I can correctly view the user with only the remote group association passed to them by fortiauthenticator.

In this way, without specifying the group in phase 1 and accepting only one radius parameter

There is the correct association of the remote user to the remote group with a consequent match of the associated policies where there is only the required remote group

1 reply

funkylicious
SuperUser
funkylicious
SuperUser
February 24, 2026

can you see the user-group with diag vpn ike gateway list ?

also, a sanitized config of ipsec ikev2 , user group, user radius and fw policy would help to get an idea on how it's configured.

"jack of all trades, master of none"
ideait
ideaitAuthor
Explorer
February 24, 2026

Hi

in the diag vpn ike gateway list

i view the eap-user not the group

Right now I have two IPsec dialup VPNs.

The first one with WAN2
created with wirard and xauth inner policy.
Everything works fine.

The second tunnel with WAN1 has been transformed into custom and enabled ike v2.

set type dynamic
set interface “wan1”
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set eap enable
set eap-identity send-request
set authusrgrp “(Remote Group in Fauth)”
set assign-ip-from name
set dns-mode auto

However, when I connect to the VPN, authentication via Fauth works, but I cannot browse and the user does not appear in:
diagnose firewall auth list


 

funkylicious
SuperUser
funkylicious
SuperUser
February 24, 2026

i am pretty sure that you can see also the group under 2FA field.

the order should be:

eap_user

2FA

groups

but in my case, the command diagnose firewall auth list displays the user logged along the group_name

 

the diff in my config is that i dont set/use the group/authusrgrp under phase1 but on firewall rules, maybe that's why

"jack of all trades, master of none"
Terms & ConditionsAccessibility statement