|
If an LDAP-based user is a member of a group whose DN size exceeds 127 characters, the group will not appear and seems to make the buffering of the following groups fail.
The LDAP server is configured on the FortiGate as follows:
config user group
edit "FortiClientUserIT_LDAP"
set member "LDAP"
config match
edit 1
set server-name "LDAP"
set group-name "CN=fortigroup,CN=Users,DC=forti,DC=lab"
next
end
next
nd
IPSec configuration :
config vpn ipsec phase1-interface
edit "multigroup"
set type dynamic
set interface "port1"
set ike-version 2
set peertype one
set net-device disable
set mode-cfg enable
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
set eap enable
set eap-identity send-request
set authusrgrp "FortiClientUserIT_LDAP" <----- For IKEv2, there will be no group to call in the GUI option. Call the group here instead.
set transport udp
set peerid "multigroup"
set ipv4-start-ip 192.168.198.1
set ipv4-end-ip 192.168.198.10
set ipv4-netmask 255.255.255.0
set dns-mode auto
set save-password enable
set psksecret fortinet
next
end
The LDAP user authentication is successful, and fetching the below user group membership :
FGT# diagnose test authserver ldap LDAP forti2 fortinet
authenticate 'forti2' against 'LDAP' succeeded!
Group membership(s) - CN=group00019,OU=Department Groups,DC=forti,DC=lab
CN=group00018,OU=Department Groups,DC=forti,DC=lab
CN=group00017,OU=Department Groups,DC=forti,DC=lab
CN=group00016,OU=Department Groups,DC=forti,DC=lab
CN=group00015,OU=Department Groups,DC=forti,DC=lab
CN=group00014,OU=Department Groups,DC=forti,DC=lab
CN=group00013,OU=Department Groups,DC=forti,DC=lab
CN=group00012,OU=Department Groups,DC=forti,DC=lab
CN=group00011,OU=Department Groups,DC=forti,DC=lab
CN=group00010,OU=Department Groups,DC=forti,DC=lab
CN=group00009,OU=Department Groups,DC=forti,DC=lab
CN=group00008,OU=Department Groups,DC=forti,DC=lab
CN=group00007,OU=Department Groups,DC=forti,DC=lab
CN=group00006,OU=IS-Projects_b44ff0034db6,OU=o365,OU=Special User and Service Accounts,DC=forti,DC=lab
CN=group00005,OU=IS - Project - Maint Building Security Cameras_3a85a397fe40,OU=o365,OU=Special User and Service Accounts,DC=forti,DC=lab <----- This group has DN size greater than 127 characters.
CN=group00004,OU=IS-Projects_b44ff0034db6,OU=o365,OU=Special User and Service Accounts,DC=forti,DC=lab
CN=group00003,OU=IS-Projects_b44ff0034db6,OU=o365,OU=Special User and Service Accounts,DC=forti,DC=lab
CN=group00002,OU=IS - NetworkEngineering_48df96024f87,OU=o365,OU=Special User and Service Accounts,DC=forti,DC=lab
CN=group00001,OU=IS-Projects_b44ff0034db6,OU=o365,OU=Special User and Service Accounts,DC=forti,DC=lab
CN=Itinerantes,CN=Users,DC=forti,DC=lab
CN=markusgroup (test01),OU=\+DE,OU=Information Szstems,OU=Departments,DC=forti,DC=lab
CN=fortigroup,CN=Users,DC=forti,DC=lab
CN=Domain Users,CN=Users,DC=forti,DC=lab
Domain of user is forti.lab
Debugs:
diagnose debug reset
diagnose debug console timestamp enable
diagnose vpn ike log filter rem-addr4 x.x.x.x <----- Public IP of the endpoint.
diagnose debug application ike -1
diagnose debug application fnbamd -1
diagnose debug application eap_proxy -1
diagnose debug enable
The issue matches a known bug (1182725), which will be resolved in v7.4.10, v7.6.5, and v8.0.0.
Workaround:
Remove/Adjust group memberships with long DNs (exceeding 127 characters) to fix the issue.
Note:
To stop the debugging, run the following commands:
diagnose debug disable
diagnose debug reset
2025-08-28 01:08:38 [1305] fnbamd_rad_process-Result from radius svr 'EAP_PROXY' is 0, req 9363167064078
2025-08-28 01:08:38 [519] fnbamd_rad_get_vsas-FORTINET attr, type 1, val CN=group00019,OU=Department Groups,DC=forti,DC=lab
2025-08-28 01:08:38 [519] fnbamd_rad_get_vsas-FORTINET attr, type 1, val CN=group00018,OU=Department Groups,DC=forti,DC=lab
2025-08-28 01:08:38 [519] fnbamd_rad_get_vsas-FORTINET attr, type 1, val CN=group00017,OU=Department Groups,DC=forti,DC=lab
2025-08-28 01:08:38 [519] fnbamd_rad_get_vsas-FORTINET attr, type 1, val CN=group00016,OU=Department Groups,DC=forti,DC=lab
2025-08-28 01:08:38 [519] fnbamd_rad_get_vsas-FORTINET attr, type 1, val CN=group00015,OU=Department Groups,DC=forti,DC=lab
2025-08-28 01:08:38 [519] fnbamd_rad_get_vsas-FORTINET attr, type 1, val CN=group00014,OU=Department Groups,DC=forti,DC=lab
2025-08-28 01:08:38 [519] fnbamd_rad_get_vsas-FORTINET attr, type 1, val CN=group00013,OU=Department Groups,DC=forti,DC=lab
2025-08-28 01:08:38 [519] fnbamd_rad_get_vsas-FORTINET attr, type 1, val CN=group00012,OU=Department Groups,DC=forti,DC=lab
2025-08-28 01:08:38 [519] fnbamd_rad_get_vsas-FORTINET attr, type 1, val CN=group00011,OU=Department Groups,DC=forti,DC=lab
2025-08-28 01:08:38 [519] fnbamd_rad_get_vsas-FORTINET attr, type 1, val CN=group00010,OU=Department Groups,DC=forti,DC=lab
2025-08-28 01:08:38 [519] fnbamd_rad_get_vsas-FORTINET attr, type 1, val CN=group00009,OU=Department Groups,DC=forti,DC=lab
2025-08-28 01:08:38 [519] fnbamd_rad_get_vsas-FORTINET attr, type 1, val CN=group00008,OU=Department Groups,DC=forti,DC=lab
2025-08-28 01:08:38 [519] fnbamd_rad_get_vsas-FORTINET attr, type 1, val CN=group00007,OU=Department Groups,DC=forti,DC=lab
2025-08-28 01:08:38 [519] fnbamd_rad_get_vsas-FORTINET attr, type 1, val CN=group00006,OU=IS -Projects_b44ff0034db6,OU=o365,OU=Special User and Service Accounts,DC=forti,DC=lab <----- No further group info as group00005 DN size was exceeding 127 Characters, so it did not appear and made the following groups fail as well.
2025-08-28 01:08:38 [562] fnbamd_rad_get_vsas-FORTINET attr, type 255, val LDAP
2025-08-28 01:08:38 [562] fnbamd_rad_get_vsas-FORTINET attr, type 253, val forti2
.
.
2025-08-28 01:08:38 [596] __group_match-Use 'forti2' for user group matching.
2025-08-28 01:08:38 [633] __group_match-Check if LDAP is a group member
2025-08-28 01:08:38 [209] find_matched_usr_grps-Failed group matching
Reference article: Technical Tip: IKEv2 dial up VPN with LDAP authent... - Fortinet Community
|
