Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Matt_B
Staff & Editor
Staff & Editor

Created on ‎11-06-2025 09:43 PM

Article Id 418084

Technical Tip: IKEv2 dialup gateway with RADIUS user groups does not support other authentication servers

Description This article describes a limitation of IKEv2 dialup gateways with RADIUS server configured.
Scope FortiOS v7.4, IKEv2 dialup gateway.
Solution

LDAP authentication for IKEv2 tunnels is supported using EAP-TTLS in FortiClient v7.4.3 and later, see Technical Tip: IKEv2 dial up VPN with LDAP authentication.

 

IKEv1 and IKEv2 dialup gateways support authentication based on multiple groups configured on firewall policies, see the article Technical Tip: How to use multiple groups with EAP for IKEv2 (SAML/RADIUS/local).

 

However, if a RADIUS user group is configured on a IKEv2 VPN firewall policy, other authentication methods for the tunnel will not succeed.

 

For an example, see the following diagram. If a single VPN dialup gateway has firewall policies with user groups for all the authentication sources in the following diagram (RADIUS, LDAP, SAML), only RADIUS users will be able to authenticate to the VPN tunnel.

 

Network Diagram.drawio.png

 

If multiple RADIUS servers are referenced in remote groups, only users existing on the first configured RADIUS server will be able to authenticate.

 

Resolution:

Configure a dedicated dial-up gateway for each RADIUS server and configure network-id on the FortiClient and FortiGate side to match the intended dial-up gateway. Only reference the intended RADIUS server's user group(s) on the dedicated dial-up gateway's firewall policies.

Incomplete example configuration:

 

config vpn ipsec phase1-interface

edit "IKEv2_RAD_A"

set network-overlay enable

set network-id 17

next

end

 

configure user group

edit "RADIUS_A VPN Downtown"

set member "RADIUS_A"

config match

edit 1

set server-name "RADIUS_A"

set group-name "VPN Allowed Downtown"

next

end

next

edit "RADIUS_A VPN Branch"

set member "RADIUS_A"

config match

edit 1

set server-name "RADIUS_A"

set group-name "VPN Allowed Branch"

next

end

next

end

 

config firewall policy

edit <index>

set name "Allow RADIUS_A VPN users"

set srcintf "IKEv2_RAD_A"

set groups "RADIUS_A VPN Downtown" "RADIUS_A VPN Branch" <----- Multiple user groups are allowed, as long as they only reference the RADIUS server.

next

edit <index>

set name "Allow non-RADIUS VPN users"

set srcintf "IKEv2_Dialup"

set groups "SAML VPN Users" "LDAP VPN Users" "Local VPN Users"

end

 

Related documents:

Technical Tip: FortiGate Hub with multiple IPSec Dial-up phase1 using IKEv2 and PSK authentication

FortiClient 7.4.4 EMS Administration Guide | IPsec VPN

Technical Tip: FortiClient support for multiple IKEv2 dialup tunnels at the same FortiGate Remote Ga...

 

115
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.