Consider an example where the local user name 'gene' was added to the Google LDAPS remote authentication group.

IPSec VPN remote authentication with the user name fails.

The authentication settings:

Config user_ldap:

GoogleLDAPS:

server: "ldap.google.com"
server-identity-check: disable
cnid: "uid"
dn: "dc=twtac,dc=lab"
type: regular
secure: ldaps
port: 636
search-type: recursive
client-cert-auth: enable
client-cert: "GoogleLDAPS"

config user_group:

LDAPuser:
        member: "GoogleLDAPS" "gene"

To get more information regarding the reason for authentication failure, run the following commands in the CLI:

diagnose test authserver ldap <LDAP server_name> <username> <password>
diagnose debug application fnbamd -1
diagnose debug enable

In this case, the remote authentication testing for the user name passed with no issues.

[2707] fnbamd_ldap_result-Result for ldap svr ldap.google.com(GoogleLDAPS) is SUCCESS
[2722] fnbamd_ldap_result-Skipping group matching
[209] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 1871017150, len=2540
[792] destroy_auth_session-delete session 1871017150
authenticate 'gene' against 'GoogleLDAPS' succeeded!   <-----

Duplicate the authentication failure issue with a dial-up VPN connection:

diagnose vpn ike log-filter src-addr4 <- Client IP (should be public IP if client dialup from the internet).
diagnose debug application ike -1
diagnose debug application fnbamd -1
diagnose debug enable

Note:

In v7.4.0, the 'diagnose vpn ike log-filter src-addr4' command has been changed to 'diagnose vpn ike log-filter loc-addr4', and starting v7.4.1 it has been changed to 'diagnose vpn ike log filter loc-addr4'.

For more details, check this link IPsec Tunnel (debugging IKE)

In the debug output below, the user name 'gene' failed local authentication.

gene:

ike 0:Forti_1:16422: received XAUTH_USER_NAME 'gene' length 8
ike 0:Forti_1:16422: received XAUTH_USER_PASSWORD length 12
ike 0:Forti_1: XAUTH user "gene"
ike 0:Forti: auth group LDAPuser
local auth is done with user 'gene', ret=1 <- The local user name in the configured group will be the first validation priority.
ike 0:Forti_1: XAUTH failed for user "gene", retry(2).

The local user name 'sla' was not configured correctly in the group LDAPuser and will therefore be authenticated through Google LDAPS directly.

SLA:

ike 0:Forti_1:16422: received XAUTH_USER_NAME 'sla' length 10
ike 0:Forti_1:16422: received XAUTH_USER_PASSWORD length 11
ike 0:Forti_1: XAUTH user "sla"
ike 0:Forti: auth group LDAPuser
ike 0:Forti_1: XAUTH 1871020438 pending
1890] handle_req-Rcvd auth req 1871020438 for sla in LDAPuser opt=00000000 prot=5
[473] __compose_group_list_from_req-Group 'LDAPuser', type 1
[969] fnbamd_saml_auth_cache_lookup-Authneticating 'sla'.
[616] fnbamd_pop3_start-sla
[378] radius_start-Didn't find radius servers (0)
[760] auth_tac_plus_start-Didn't find tac_plus servers (0)
[1007] __fnbamd_cfg_get_ldap_list_by_group-
[1065] __fnbamd_cfg_get_ldap_list_by_group-Loaded LDAP server 'GoogleLDAPS' for usergroup 'LDAPuser' (4)

In this case, the local user name has a different password than the same remote user name in Google LDAPS. Remove the local user name 'gene' from the user group 'LDAPuser' for remote authentication to fix the issue.