When users attempt to connect to the SSL VPN FortiClient with two-factor authentication, specifically with Microsoft Azure, the following error shows up:

RSA NEW PIN IS WRONG -7201

To troubleshoot and narrow down this issue, follow these steps:

1. Take the debug logs with these commands:

diagnose debug app sslvpn -1
diagnose debug app fnbamd -1
diagnose debug enable

2. Now, check the logs and see if this error is appearing:

[221:root:38e1]login_failed:388 user[syd0-NPS-test01],auth_type=1 failed [sslvpn_login_no_matching_policy]

3. This indicates that the group matching is failing on the firewall.

It is likely to happen when the Radius Vendor Specific Attributes (VSA) being sent in the Radius access accept packet is not something the FortiGate understands, so it is recommended to correct that and make sure that the attribute is the same, such as the group name (it is case-sensitive).

FortiGate will look for RADIUS AVP Fortinet-Group-Name (and extract its value for group matching).

This is what the transaction will look like:

4. Note that some RADIUS servers, like FortiAuthenticator, can provide RADIUS attributes on a per-user or per-group basis.

So, either every single user has their own AVP, or the user is a group member, and when authentication happens, then the user inherits AVP from the group.

5. Make sure to follow the correct VSAs to map on the radius server.    

    

    

6. If the issue persists after getting the correct value in captures, open tickets with the TAC team.

    

Related articles:

Technical Tip: Authentication, Remote server group match of user group configuration with RADIUS ser...

Technical Tip: Fortinet's RADIUS Dictionary (VSA - vendor-specific attributes), NTRadPing