FGT_1 # diagnose debug reset
FGT_1 # diagnose debug application ike -1
Debug messages will be on for 30 minutes.

FGT_1 # diagnose debug enable

ike 0:RA-IPsec:1907: responder received EAP msg
ike 0:RA-IPsec:1907: send EAP message to FNBAM
ike 0:RA-IPsec:1907: initiating EAP authentication
ike 0:RA-IPsec: EAP user "42DA54BF24EB4AE5A007AF33CF4D167A"
ike 0:RA-IPsec: auth group DUO SAML
ike 0:RA-IPsec: EAP 1351799958 pending
ike 0:RA-IPsec:1907 EAP 1351799958 result FNBAM_DENNIED
ike 0:RA-IPsec: EAP failed for user "42DA54BF24EB4AE5A007AF33CF4D167A"
ike 0:RA-IPsec: connection expiring due to EAP failure
ike 0:RA-IPsec: deleting
ike 0:RA-IPsec: deleted

Upon checking user group config under User & Authentication -> User Groups, group matching is set to match the specific group attribute. In this case, it is 'Co-operate'.


Make sure that the value specified matches the attribute configured on the DUO side, and group matching is supported from DUO. Otherwise, changing group matching to 'Any' and test again.

FGT_1 # diagnose debug reset
FGT_1 # diagnose debug application ike -1
Debug messages will be on for 30 minutes.

FGT_1 # diagnose debug enable

[581] __group_match-Check if DuoSSO is a group member
[587] __group_match-Group 'VPN-Users' passed group matching
[590] __group_match-Add matched group 'DUO SAML'(2)
[206] find_matched_usr_grps-Passed group matching
[239] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 32014794493961, len=2600
[600] destroy_auth_session-delete session 32014794493961
ike V=root:0:RA-IPsec:14 EAP 32014794493961 result FNBAM_SUCCESS
ike V=root:0:RA-IPsec: EAP succeeded for user "42DA54BF24EB4AE5A007AF33CF4D167A" group "DO SAML" 2FA=no

Note:
If Azure SAML is used, ensure the value configured under 'Attribute used to identify groups' is matched with the group attribute on the Azure side.

Related document:
Group matching logic on FortiGate