Description |
This article describes how to solve some of the error messages that can be encountered when using ikev2 and radius server: - Ikev2 required an EAP framework for authenticities. - If the Ikev2 is used on FortiGate and FortiClient, and the following error appears, this is how to resolve it. |
Scope | FortiGate. |
Solution |
Error - gw validation failed.
1) If this error appears, that means EAP is not enabled in the Phase1-interface. 2) The configuration on the FortiClient should look like this:
3) Since EAP is used, the setting will be as below:
Solution.
1) Changing that EAP setting to enable will most likely fix this error:
2) Fixed.
Error- EAP response is empty.
Explanation.
This error message came when there is no user group defines in the IPsec tunnel to authentication.
Solution.
1) Now there are two types of EAP identity methods:
2) First, it is necessary to change it to send a request, by default it is use-id-payload. 3) Second, it is necessary to specify the group to authenticate against:
4) This setting will only appear after enabling the EAP in phase 1. 5) The final setting should look like the below:
6) It is now possible to connect with a local user. 7) If a radius or LDAP server is used for the authentication server, it would not be possible to authenticate yet.
Related article:
Error:
EAP 94840547 pending EAP 94840547 result 1 EAP failed for user "lovepreet"
If it is authenticated against the radius server, then this error will be encountered.
Troubleshooting.
1) Run the fnbamd debug:
# di de application fnbamd -1 # di de en
Focus on the response code/ This one means radius server denying the request:
0: Success 1: Deny 2: Challenged (password renewal or token is needed) 3: unknown 4: Pending 5: Error 6: Framed IP Conflict 7: Token code is required 8: Need another token due to the previous one is out of sync 9: Response Buffer is too small 10: Authentication time out 11: Max Concurrent authentication sessions are reached 12: Token code is already used.
Related article:
1) It is possible to verify the fact by running the packet capture on the radius server and filter for radius traffic.
Now the reason this is happening is that the credentials used authenticating against other schemes such as mschap2 on the NPS in window AD are not accepted for this example.
3) It is possible to verify the credential against on FortiGate using the command below:
# diagnose test authserver radius <radius server_name> <authentication scheme><username> <password>
4) On the radius server there was no mschap2 scheme selected. 5) To solve this, go to the radius server. 6) Go to Network policies -->virtual private connection -->double-click --> Constrains ->Authentication method -->choose.
Related articles: |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.