| Description | This articles describes when users are trying to go with SSL-VPN with MFA for radius authentication, such issues are usually encountered. |
| Scope | FortiOS (all versions). |
| Solution |
When users attempt to connect to SSL-VPN FortiClien with two-factor authentication specifically with Microsoft Azure, such error shows up:
RSA NEW PIN IS WRONG -7201
In order to troubleshoot and narrow down this issue, follow these steps:
1) Take the debug logs with these commands:
# diag debug app sslvpn -
2) Now, check the logs and see if this error is appearing:
[221:root:38e1]login_failed:388 user[syd0-NPS-test01],auth_type=1 failed [sslvpn_login_no_matching_policy]
3) This indicates that the group matching is getting failed on the firewall. It is likely to happen when the Radius VSA being sent in the Radius access accept packet is not something the FortiGate understands, so it is recommended to correct that and make sure that the attribute is exactly the same such as group name (it is case sensitive).
FortiGate will look for RADIUS AVP Fortinet-Group-Name.
This is what the transaction will look like:
4) Note that some RADIUS servers like FortiAuthenticator can provide RADIUS attributes on a per-user or per-group basis.
5) Make sure to follow the correct VSA Attributes to map on the radius server.
6) If the issue still persists after getting the correct value in captures, open tickets with the TAC team.
Reference link below:
|
