Technical Tip: Dial-up IPSec VPN with SAML Fails to Match Entra ID Group During EAP Phase due to Buffer Size Limitation

ssanga · ‎10-17-2024

Description

This article describes a workaround and a solution for an issue where VPN users fail to establish a Dial-up IPSec VPN with SAML Authentication. The issue occurs when users fail to match the Entra ID group during the EAP phase, due to a buffer size limitation.

Scope

FortiGate v7.2.8, v7.2.9, v7.2.10.

Solution

Users may fail to establish a Dial-up IPSec VPN tunnel with SAML Authentication when the group-name is configured in the SAML user group. The problem can be verified by examining the logs as outlined below.

config user group
edit "IPSEC"
set member "SAML-IPSEC"
config match
edit 1
set server-name "SAML-IPSEC"
set group-name "6fcfg1ea33017-43y1-9c47-fce98e1299"
next
end
next
end

The following logs are seen in the debug outputs:

2024-09-24 11:21:29 [1623] fnbam_user_auth_group_match-req id: 1174100459, server: entra-id-saml, local auth: 0, dn match: 0
2024-09-24 11:21:29 [1592] __group_match-Group 'IPSEC' passed group matching
2024-09-24 11:21:29 [1595] __group_match-Add matched group 'IPSEC'(2)
2024-09-24 11:21:29 [1968] handle_req-Passed group matching
2024-09-24 11:21:29 [209] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 1174100459, len=2689
wpad_fnbam_read() -- got response
process_auth_result 651 -- ses_id=1174100459, auth_res=0.
process_auth_result 692 --group '244ef30d-be95-4a8c-85f9-0a627c290163' is matched.
process_auth_result 692 --group '153b8883-0116-4232-affa-265b251c2c1d' is matched.
process_auth_result 692 --group '9054caa7-f39b-4d09-873b-51a884ef14b5' is matched.
process_auth_result 692 --group 'bbe7c2a9-4b9c-44c6-b58d-9211cfefa520' is matched.
process_auth_result 708 -- user 'XXXXXXXXXXX', server 'SAML-IPSEC'.
Not enough buffer for groups
eap_comm_send_auth_result 240 rsp len:888

ep_auth_session_del 149 -- auth session deleted, ses_id=1174100459
2024-07-30 11:35:06 fnbamd_dbg_hex_pnt[48] EAP msg from server (4)-03 F3 00 04
2024-07-30 11:35:06 [1454] fnbamd_auth_handle_radius_result-->Result for radius svr 'eap_proxy' 127.0.0.1(1) is 0
2024-07-30 11:35:06 [1479] fnbamd_auth_handle_radius_result-RADIUS auth succeeds with server 'SAML-IPSEC'
2024-07-30 11:35:06 [1616] fnbam_user_auth_group_match-req id: 875455619, server: SAML-IPSEC, local auth: 0, dn match: 0
2024-07-30 11:35:06 [280] find_matched_usr_grps-Failed group matching <------------------------------------------------
2024-07-30 11:35:06 [209] fnbamd_comm_send_result-Sending result 1 (nid 0) for req 875455619, len=2540
2024-07-30 11:35:06.339816 ike 2:IPSEC-SAML:1521 EAP 875455619 result 1
2024-07-30 11:35:06 [792] destroy_auth_session-delete session 875455619
2024-07-30 11:35:06.339835 ike 2:IPSEC-SAML: EAP failed for user "573E1FTR80146A48FBB39A8E35AC5F94" <----------------------------
2024-07-30 11:35:06.339863 ike 2:IPSEC-SAML:1521: responder preparing EAP pass through message

This issue has been resolved in FortiOS versions 7.2.11, 7.4.5, and 7.6.1.

Workaround: Remove the group name from the SAML user group.

config user group
edit "IPSEC"
set member "SAML-IPSEC"
config match
delete 1
end
end

Logs Required by FortiGate TAC for Investigation.

Debugs:

diag debug application ike -1

diag debug application authd 60

diag debug application samld -1
diag debug application fnbamd -1
diag debug application eap_proxy -1
diag debug console timestamp enable
diag debug enable

To disable the debugs, use the command 'diag debug disable'.

TAC Report:

execute tac report
The configuration file of the FortiGate.

Technical Tip: Dial-up IPSec VPN with SAML Fails to Match Entra ID Group During EAP Phase due to Buffer Size Limitation

You are leaving our website