FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
slovepreet
Staff
Staff
Article Id 229663
Description

This article describes how to solve some of the error messages that can be encountered when using ikev2 and radius server:

- Ikev2 required an EAP framework for authenticities.

- If the Ikev2 is used on FortiGate and FortiClient, and the following error appears, this is how to resolve it.

Scope FortiGate.
Solution

Error - gw validation failed.


slovepreet_0-1668201977645.png

 

1) If this error appears, that means EAP is not enabled in the Phase1-interface.

2) The configuration on the FortiClient should look like this:

 

slovepreet_1-1668202008718.png

 

3) Since EAP is used, the setting will be as below:

 

slovepreet_2-1668202022267.png

 

Solution.

 

1) Changing that EAP setting to enable will most likely fix this error:

 

slovepreet_3-1668202042806.png

 

2) Fixed.

 

slovepreet_4-1668202056828.png

 

 

Error-  EAP response is empty.

 

slovepreet_5-1668202066207.png

 

Explanation.

 

This error message came when there is no user group defines in the IPsec tunnel to authentication.

 

Solution.

 

1) Now there are two types of EAP identity methods:

 

slovepreet_6-1668202083506.png

 

2) First, it is necessary to change it to send a request, by default it is use-id-payload.

3) Second, it is necessary to specify the group to authenticate against:

 

slovepreet_7-1668202094982.png

 

4) This setting will only appear after enabling the EAP in phase 1.

5) The final setting should look like the below:

 

slovepreet_8-1668202109730.png

 

6) It is now possible to connect with a local user.

7) If a radius or LDAP server is used for the authentication server, it would not be possible to authenticate yet.

 

Related article:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-IKEv2-dialup-IPsec-tunnel-with-Radius-serv...

 

Error:

 

EAP 94840547 pending

EAP 94840547 result 1

EAP failed for user "lovepreet"

 

slovepreet_9-1668202125901.png

 

If it is authenticated against the radius server, then this error will be encountered.

 

Troubleshooting.

 

1) Run the fnbamd debug:

 

# di de application fnbamd -1

# di de en

 

slovepreet_10-1668202139521.png

 

Focus on the response code/

This one means radius server denying the request:

 

0: Success

1: Deny

2: Challenged (password renewal or token is needed)

3: unknown

4: Pending

5: Error

6: Framed IP Conflict

7: Token code is required

8: Need another token due to the previous one is out of sync

9: Response Buffer is too small

10: Authentication time out

11: Max Concurrent authentication sessions are reached

12: Token code is already used.

 

Related article:

<https://community.fortinet.com/t5/FortiGate/Technical-Tip-Radius-authentication-troubleshooting/ta-p...>

 

1) It is possible to verify the fact by running the packet capture on the radius server and filter for radius traffic.

 

slovepreet_11-1668202171451.png

 

Now the reason this is happening is that the credentials used authenticating against other schemes such as mschap2 on the NPS in window AD are not accepted for this example.

 

3) It is possible to verify the credential against on FortiGate using the command below:

 

# diagnose test authserver radius <radius server_name> <authentication scheme><username> <password>

 

slovepreet_12-1668202204429.png

 

4) On the radius server there was no mschap2 scheme selected.

5) To solve this, go to the radius server.

6) Go to Network policies  -->virtual private connection -->double-click --> Constrains ->Authentication method -->choose.

 

slovepreet_13-1668202214910.png

 

Related articles:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-IKEv2-dialup-IPsec-tunnel-with-Radius-serv...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Radius-authentication-troubleshooting/ta-p...

Contributors