Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
AnthonyH
Staff
Staff

Created on ‎11-11-2025 06:14 AM

Article Id 418473

Troubleshooting Tip: Group failing to matched due to DN exceeding 127 characters using IKEv2 with LDAP (EAP-TTLS)

Description This articles describes a known issue where users may fail to match a group if the DN characters exceed 127 characters causing subsequent groups to fail. 
Scope FortiGate.
Solution

When a user attempts to log into the IPSec VPN (IKEv2) with their LDAP credentials, the user may fail to match the groups due to a 127 character limit with EAP Proxy.

 

For example, the VPN Group requires the user to be a part of the following group.

 

config user group

    edit "VPN Group"

        set member "SAML"

            config match

                edit 1

                    set server-name "LDAP"

                    set group-name "CN=group00018,OU=1234567890123456789012345678901234567890123456789012345678901234567890,DC=forti,DC=lab"

                next

            end

        next

    end

 

Running LDAP  debugging shows the user 'forti2' is successfully returning the following groups:

 

FGT# diag test auth ldap LDAP forti2 fortinet
authenticate 'forti2' against 'LDAP' succeeded!
Group membership(s) - CN=group00019-123456789123456789012345,OU=1234567890123456789012345678901234567890123456789012345678901234567890,DC=forti,DC=lab
CN=group00018,OU=1234567890123456789012345678901234567890123456789012345678901234567890,DC=forti,DC=lab
CN=group00017,OU=1234567890123456789012345678901234567890123456789012345678901234567890,DC=forti,DC=lab
CN=group00016,OU=1234567890123456789012345678901234567890123456789012345678901234567890,DC=forti,DC=lab

 

However, in the EAP debugging, no groups are returned:

 

diagnose debug app eap_proxy -1

diagnose debug enable

....

....

2025-08-28 02:09:45 [1206] __rad_rxtx-
2025-08-28 02:09:45 [1305] fnbamd_rad_process-Result from radius svr 'EAP_PROXY' is 0, req 9363167064108
2025-08-28 02:09:45 [562] fnbamd_rad_get_vsas-FORTINET attr, type 255, val LDAP
2025-08-28 02:09:45 [562] fnbamd_rad_get_vsas-FORTINET attr, type 253, val forti2

 

This is due to the first group containing 128 characters. The subsequent groups will not be returned:

 

"CN=group00019-123456789123456789012345,OU=1234567890123456789012345678901234567890123456789012345678901234567890,DC=forti,DC=lab"

 

By removing a character from the DN and making it 127 characters long, the groups 'forti2' belong to are returned, which will allow the user to successfully match the group:

 

2025-08-28 02:09:02 [519] fnbamd_rad_get_vsas-FORTINET attr, type 1, val CN=group00019-12345678912345678901234,OU=1234567890123456789012345678901234567890123456789012345678901234567890,DC=forti,DC=lab
2025-08-28 02:09:02 [519] fnbamd_rad_get_vsas-FORTINET attr, type 1, val CN=group00018,OU=1234567890123456789012345678901234567890123456789012345678901234567890,DC=forti,DC=lab
2025-08-28 02:09:02 [519] fnbamd_rad_get_vsas-FORTINET attr, type 1, val CN=group00017,OU=1234567890123456789012345678901234567890123456789012345678901234567890,DC=forti,DC=lab

 

This known issue, 1182725 is scheduled to be fixed in FortiOS: 7.4.10, 7.6.5, 8.0.0.
160
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.