Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
scheuri1
New Contributor II

Created on ‎01-16-2026 04:26 AM Edited on ‎01-16-2026 04:29 AM

Authentication Failure with DialUp IPSec (EAP failure)

Hi all

 

We configured a DialUp IPSec tunnel (udp) on Fortigate 7.4.9. The users are authenticated via RADIUS on a Fortiauthenticator and MFA (Fortitoken on same FAC).

 

The user in question is my own - which works for SSL VPN on the same Fortigate and as login on the Fortigate itself as well - using the same FAC (just a different user group).

 

When using (free) FortiClient 7.4.3 with my user can connect to the Fortigate, but doesn't get the Token-Challenge due to a EAP failure.

 

The ike debug says it fails due to a EAP failure (see below), the correct username is being used/seen in the logs.
The fnbam log says code 3, after two code 11 (see below).
The FAC tells me that my user failed to login via EAP-GTC (see below).
The timestamps are off as I had to pull data from different tests, the logs are current and valid.

 

Unfortunately, there is not muc I can test - the password is in a password-tool and the same password is being successfuly used to login into FMG, FAZ, FAC and FGT as well as SSL VPN.
The user group on FAC is correct (and is correct on FMG) - it also uses the same radius attributes as the sslvpn and admin-login-groups. And my user is member of them all.

Anyone a hint where I can look further?

 

 

 

fgt200G_749 $ diagnose vpn ike log filter rem-addr4 <client_source_ip>

fgt200G_749 $ diagnose debug application ike -1
Debug messages will be on for 30 minutes.

fgt200G_749 $ diagnose debug console timestamp enable

fgt200G_749 $ diagnose debug enable



fgt200G_749 $ 2026-01-16 13:21:09.600418 ike :shrank heap by 159744 bytes
2026-01-16 13:21:24.135753 ike V=root:0: comes <client_source_ip>:45253-><fgt_dialup_ip>:500,ifindex=22,vrf=0,len=385....
2026-01-16 13:21:24.135797 ike V=root:0: IKEv2 exchange=SA_INIT id=de37eacc2ea2bcf0/0000000000000000 len=385
2026-01-16 13:21:24.135810 ike 0: in DE37EACC2EA2BCF000000000000000002120220800000000000001812200006C02000034010100050300000C0100000C800E0080030000080200000203000008030000020300000804000015000000080400001400000034020100050300000C0100000C800E01000300000802000005030000080300000C03000008040000150000000804000014280000680014000010E8A9301714649F4DD68AF7DD92290B5847C0BC465E46722D436D4B0BC53FEE9EA355C1B97E17C2C923304F10AB91650799A9776D90306147A377E180658E6EDBEF8F3C9E349122C895D463E3A1D009A2473708E91488444B8C0B8CD33505B62B000014F7AA05CC07007B6E51A8983D50C0756E2B0000144C53427B6D465D1B337BB755A37A7FEF2B000014B4F01CA951E9DA8D0BAFBBD34AD3044E29000014C1DC4350476B98A429B91781914CA43E2900001C00004004A13A86B73E7DC72C11A1E348277DC1A0649C0C722900001C00004005D352A420E843217F35F66CD10AD70B35CD8907C6000000090000F05000
2026-01-16 13:21:24.135839 ike V=root:0:de37eacc2ea2bcf0/0000000000000000:8651: responder received SA_INIT msg
2026-01-16 13:21:24.135852 ike V=root:0:de37eacc2ea2bcf0/0000000000000000:8651: VID forticlient connect license 4C53427B6D465D1B337BB755A37A7FEF
2026-01-16 13:21:24.135862 ike V=root:0:de37eacc2ea2bcf0/0000000000000000:8651: VID Fortinet Endpoint Control B4F01CA951E9DA8D0BAFBBD34AD3044E
2026-01-16 13:21:24.135871 ike V=root:0:de37eacc2ea2bcf0/0000000000000000:8651: VID Forticlient EAP Extension C1DC4350476B98A429B91781914CA43E
2026-01-16 13:21:24.135881 ike V=root:0:de37eacc2ea2bcf0/0000000000000000:8651: received notify type NAT_DETECTION_SOURCE_IP
2026-01-16 13:21:24.135890 ike V=root:0:de37eacc2ea2bcf0/0000000000000000:8651: received notify type NAT_DETECTION_DESTINATION_IP
2026-01-16 13:21:24.135901 ike V=root:0:de37eacc2ea2bcf0/0000000000000000:8651: received notify type VPN_NETWORK_ID
2026-01-16 13:21:24.135911 ike V=root:0:de37eacc2ea2bcf0/0000000000000000:8651: NETWORK ID : 0
2026-01-16 13:21:24.135925 ike V=root:0:de37eacc2ea2bcf0/0000000000000000:8651: incoming proposal:
2026-01-16 13:21:24.135933 ike V=root:0:de37eacc2ea2bcf0/0000000000000000:8651: proposal id = 1:
2026-01-16 13:21:24.135943 ike V=root:0:de37eacc2ea2bcf0/0000000000000000:8651:   protocol = IKEv2:
2026-01-16 13:21:24.135950 ike V=root:0:de37eacc2ea2bcf0/0000000000000000:8651:      encapsulation = IKEv2/none
2026-01-16 13:21:24.135958 ike V=root:0:de37eacc2ea2bcf0/0000000000000000:8651:         type=ENCR, val=AES_CBC (key_len = 128)
2026-01-16 13:21:24.135965 ike V=root:0:de37eacc2ea2bcf0/0000000000000000:8651:         type=INTEGR, val=AUTH_HMAC_SHA_96
2026-01-16 13:21:24.135975 ike V=root:0:de37eacc2ea2bcf0/0000000000000000:8651:         type=PRF, val=PRF_HMAC_SHA
2026-01-16 13:21:24.135982 ike V=root:0:de37eacc2ea2bcf0/0000000000000000:8651:         type=DH_GROUP, val=ECP384.
2026-01-16 13:21:24.135990 ike V=root:0:de37eacc2ea2bcf0/0000000000000000:8651:         type=DH_GROUP, val=ECP521.
2026-01-16 13:21:24.136003 ike V=root:0:de37eacc2ea2bcf0/0000000000000000:8651: proposal id = 2:
2026-01-16 13:21:24.136010 ike V=root:0:de37eacc2ea2bcf0/0000000000000000:8651:   protocol = IKEv2:
2026-01-16 13:21:24.136017 ike V=root:0:de37eacc2ea2bcf0/0000000000000000:8651:      encapsulation = IKEv2/none
2026-01-16 13:21:24.136029 ike V=root:0:de37eacc2ea2bcf0/0000000000000000:8651:         type=ENCR, val=AES_CBC (key_len = 256)
2026-01-16 13:21:24.136036 ike V=root:0:de37eacc2ea2bcf0/0000000000000000:8651:         type=INTEGR, val=AUTH_HMAC_SHA2_256_128
2026-01-16 13:21:24.136043 ike V=root:0:de37eacc2ea2bcf0/0000000000000000:8651:         type=PRF, val=PRF_HMAC_SHA2_256
2026-01-16 13:21:24.136052 ike V=root:0:de37eacc2ea2bcf0/0000000000000000:8651:         type=DH_GROUP, val=ECP384.
2026-01-16 13:21:24.136059 ike V=root:0:de37eacc2ea2bcf0/0000000000000000:8651:         type=DH_GROUP, val=ECP521.
2026-01-16 13:21:24.136073 ike V=root:0:de37eacc2ea2bcf0/0000000000000000:8651: matched proposal id 2
2026-01-16 13:21:24.136084 ike V=root:0:de37eacc2ea2bcf0/0000000000000000:8651: proposal id = 2:
2026-01-16 13:21:24.136096 ike V=root:0:de37eacc2ea2bcf0/0000000000000000:8651:   protocol = IKEv2:
2026-01-16 13:21:24.136104 ike V=root:0:de37eacc2ea2bcf0/0000000000000000:8651:      encapsulation = IKEv2/none
2026-01-16 13:21:24.136114 ike V=root:0:de37eacc2ea2bcf0/0000000000000000:8651:         type=ENCR, val=AES_CBC (key_len = 256)
2026-01-16 13:21:24.136120 ike V=root:0:de37eacc2ea2bcf0/0000000000000000:8651:         type=INTEGR, val=AUTH_HMAC_SHA2_256_128
2026-01-16 13:21:24.136126 ike V=root:0:de37eacc2ea2bcf0/0000000000000000:8651:         type=PRF, val=PRF_HMAC_SHA2_256
2026-01-16 13:21:24.136133 ike V=root:0:de37eacc2ea2bcf0/0000000000000000:8651:         type=DH_GROUP, val=ECP384.
2026-01-16 13:21:24.136139 ike V=root:0:de37eacc2ea2bcf0/0000000000000000:8651: lifetime=86400
2026-01-16 13:21:24.136146 ike V=root:0:de37eacc2ea2bcf0/0000000000000000:8651: SA proposal chosen, matched gateway du_udp_ncss_AA
2026-01-16 13:21:24.136161 ike V=root:0:du_udp_ncss_AA:du_udp_ncss_AA: created connection: 0x56044ca844b0 22 <fgt_dialup_ip>-><client_source_ip>:45253.
2026-01-16 13:21:24.136169 ike V=root:0:du_udp_ncss_AA: HA start as master
2026-01-16 13:21:24.136180 ike V=root:0:du_udp_ncss_AA:8651: processing notify type NAT_DETECTION_SOURCE_IP
2026-01-16 13:21:24.136205 ike V=root:0:du_udp_ncss_AA:8651: processing NAT-D payload
2026-01-16 13:21:24.136216 ike V=root:0:du_udp_ncss_AA:8651: NAT detected: PEER
2026-01-16 13:21:24.136225 ike V=root:0:du_udp_ncss_AA:8651: process NAT-D
2026-01-16 13:21:24.136233 ike V=root:0:du_udp_ncss_AA:8651: processing notify type NAT_DETECTION_DESTINATION_IP
2026-01-16 13:21:24.136249 ike V=root:0:du_udp_ncss_AA:8651: processing NAT-D payload
2026-01-16 13:21:24.136257 ike V=root:0:du_udp_ncss_AA:8651: NAT detected: PEER
2026-01-16 13:21:24.136264 ike V=root:0:du_udp_ncss_AA:8651: process NAT-D
2026-01-16 13:21:24.136273 ike V=root:0:du_udp_ncss_AA:8651: FEC vendor ID received FEC but IP not set
2026-01-16 13:21:24.136283 ike 0:du_udp_ncss_AA:8651: FCT EAP 2FA extension vendor ID received
2026-01-16 13:21:24.136308 ike V=root:0:du_udp_ncss_AA:8651: responder preparing SA_INIT msg
2026-01-16 13:21:24.136318 ike V=root:0:du_udp_ncss_AA:8651: generate DH public value request queued
2026-01-16 13:21:24.136349 ike V=root:0:du_udp_ncss_AA:8651: responder preparing SA_INIT msg
2026-01-16 13:21:24.136358 ike V=root:0:du_udp_ncss_AA:8651: compute DH shared secret request queued
2026-01-16 13:21:24.137500 ike V=root:0:du_udp_ncss_AA:8651: responder preparing SA_INIT msg
2026-01-16 13:21:24.137511 ike V=root:0:du_udp_ncss_AA:8651: create NAT-D hash local <fgt_dialup_ip>/500 remote <client_source_ip>/45253
2026-01-16 13:21:24.137523 ike 0:du_udp_ncss_AA:8651: out DE37EACC2EA2BCF009C63759CA9CE4C1212022200000000000000100220000300000002C020100040300000C0100000C800E01000300000802000005030000080300000C00000008040000142800006800140000C11C84AEDA157C4FA7375F132A1EC64BF979EE5A8B2BA32369B6AD2B371A46A0444D1860CBB13C3D4515425776D32CA70A95EFE691EA390C2B94ED77C8989A0CFCC969D039B95E4B048C820F643ACB222569F20A2C92CC0D05DCD9ECB56B18DC29000014B9115A6A81A0B32D7231422F292A420D2900001C0000400411DFE9E20A3CB0D43E46593F6474AB200B9B8F7D0000001C000040051EA39435DE8181B85E67B3F4F923F0E9F705CAFB
2026-01-16 13:21:24.137545 ike V=root:0:du_udp_ncss_AA:8651: sent IKE msg (SA_INIT_RESPONSE): <fgt_dialup_ip>:500-><client_source_ip>:45253, len=256, vrf=0, id=de37eacc2ea2bcf0/09c63759ca9ce4c1, oif=22
2026-01-16 13:21:24.137588 ike 0:du_udp_ncss_AA:8651: IKE SA de37eacc2ea2bcf0/09c63759ca9ce4c1 SK_ei 32:800E8746F66E938D3C591310F893BFAF033BB73DBA7A564322AFE18D380AD3D3
2026-01-16 13:21:24.137601 ike 0:du_udp_ncss_AA:8651: IKE SA de37eacc2ea2bcf0/09c63759ca9ce4c1 SK_er 32:170D3FC6220814004A289C5AF34C2B8A3E5D3A33D797D7A6A9CBE4AFA2000C46
2026-01-16 13:21:24.137609 ike 0:du_udp_ncss_AA:8651: IKE SA de37eacc2ea2bcf0/09c63759ca9ce4c1 SK_ai 32:7CF0ABD4C8ABA5603B00BA3B8B0905468860D18BADB2FBFC17D248B93E4F6629
2026-01-16 13:21:24.137621 ike 0:du_udp_ncss_AA:8651: IKE SA de37eacc2ea2bcf0/09c63759ca9ce4c1 SK_ar 32:4F34327F07A1DD3562A060C274E9BA2634868F884115EBE2B96684F6AC875E4E
2026-01-16 13:21:24.152739 ike V=root:0: comes <client_source_ip>:36765-><fgt_dialup_ip>:4500,ifindex=22,vrf=0,len=516....
2026-01-16 13:21:24.152752 ike V=root:0: IKEv2 exchange=AUTH id=de37eacc2ea2bcf0/09c63759ca9ce4c1:00000001 len=512
2026-01-16 13:21:24.152762 ike 0: in DE37EACC2EA2BCF009C63759CA9CE4C12E2023080000000100000200230001E4AC09A83C7753A789559AC61AF13795CBA1A83F3871B8F4264E395D478C555035B2825787845B3BEF37F310A702BB1F2BE7830E5414D41331D1E0919BD0F27ECD455F0ABFADA4BE44B4672FBFD1002E922C75DBDE2308F4C02DCBDCC1C16E6FE3E1C0206BE20369405132AEF9BF848F8C200565910EFE4CF6E4E75E0CA826CAB62E2FBB87B0D822E6066ACD0021EEB1844D064C14F5CE5FF9B8A0BB8EBC66249040588EB4D379B2896E7584503893AE09E5D4B2EFEFC10ECAD39E2043C7EBB568F5799B62722096FC6DA61B573416A4EC831035D26C90394D02DC4A43DE4B8DCE9481EE35D6357F017F7E5FDB2450F1CF77FE43F104D777FF2F0D60ABBB97216E8AF58CF5DD0718DAC3D609F6D93F97A35523CA1B7174FF90EE212E6C7256E26205B3A74B9DE5075D535F8CB678920605F3A3972A255E01F9CA66B4F5AA48BD8629EAD488435F5E282DF1C54FF95237281286A990C1494F070C5D8C26DD72886BEB9C69A830527DF30237031E3A693083FF5FA3A2309BBF60E0194398DFDEA788FF15DABFFAC9B4BE870A1B7B83A67E469CC13ABF558F657F201E84CCD5FD0C0834F7BDFB22AAF26AA5E713912A338AFD0C7FD7A6D8A482F29FDE153814D05839DF21A40D237C419900271EF1E6891C6BA6BD53044BB20E60543532CC96B2464D
2026-01-16 13:21:24.152779 ike V=root:0:du_udp_ncss_AA: HA state master(2)
2026-01-16 13:21:24.152805 ike 0:du_udp_ncss_AA:8651: dec DE37EACC2EA2BCF009C63759CA9CE4C12E20230800000001000001DF230000042900000B0200000055445029000008000040002F0000CC0000F1005645523D310A4643545645523D372E342E332E313739300A5549443D36453944443441354544343234433441394233313931323632453834313130410A49503D31302E302E322E31350A4D41433D30382D30302D32372D31392D38342D34653B0A484F53543D57696E3131454E2D310A555345523D73746566616E73636865757265720A4F535645523D4D6963726F736F66742057696E646F7773203131202C2036342D62697420286275696C64203236313030290A5245475F5354415455533D300A002100005C01000000000700104643543830303430313638323037393500010000000200000003000000040000000D00000019000000080000000F0000000A0000000B000070010000540A0000540B00007000000070060000001900002C0000540200002801030403AA27A03C0300000C0100000C800E0080030000080300000200000008050000000000002802030403AA27A03C0300000C0100000C800E0100030000080300000C00000008050000002D00001801000000070000100000FFFF00000000FFFFFFFF0000001801000000070000100000FFFF00000000FFFFFFFF
2026-01-16 13:21:24.152819 ike V=root:0:du_udp_ncss_AA:8651: responder received AUTH msg
2026-01-16 13:21:24.152825 ike V=root:0:du_udp_ncss_AA:8651: processing notify type INITIAL_CONTACT
2026-01-16 13:21:24.152839 ike V=root:0:du_udp_ncss_AA:8651: processing notify type FORTICLIENT_CONNECT
2026-01-16 13:21:24.152851 ike V=root:0:du_udp_ncss_AA:8651: received FCT data len = 196, data = 'VER=1
FCTVER=7.4.3.1790
UID=6E9DD4A5ED424C4A9B3191262E84110A
IP=10.0.2.15
MAC=08-00-27-19-84-4e;
HOST=Win11EN-1
USER=<username>
OSVER=Microsoft Windows 11 , 64-bit (build 26100)
REG_STATUS=0
'
2026-01-16 13:21:24.152870 ike V=root:0:du_udp_ncss_AA:8651: received FCT-UID : 6E9DD4A5ED424C4A9B3191262E84110A
2026-01-16 13:21:24.152876 ike V=root:0:du_udp_ncss_AA:8651: received EMS SN : 
2026-01-16 13:21:24.152882 ike V=root:0:du_udp_ncss_AA:8651: received EMS tenant ID : 
2026-01-16 13:21:24.152889 ike V=root:0:du_udp_ncss_AA:8651: received peer identifier FQDN 'UDP'
2026-01-16 13:21:24.152897 ike V=root:0:du_udp_ncss_AA:8651: re-validate gw ID
2026-01-16 13:21:24.152908 ike V=root:0:du_udp_ncss_AA:8651: gw validation OK
2026-01-16 13:21:24.152915 ike V=root:0:du_udp_ncss_AA:8651: responder preparing EAP identity request
2026-01-16 13:21:24.152932 ike 0:du_udp_ncss_AA:8651: enc 2700000B020000005544503000002802000000342CCCD3796FF0F042304F0C231F60EFA67B2260AAFAB0E8ADB4905D1BE45EA60000000901AF00050103020103
2026-01-16 13:21:24.152948 ike V=root:0:du_udp_ncss_AA:8651: remote port change 45253 -> 36765
2026-01-16 13:21:24.152955 ike 0:du_udp_ncss_AA:8651: out DE37EACC2EA2BCF009C63759CA9CE4C12E202320000000010000008024000064996CB300C3537DC5DC682EEC84A72D70483B535DB81A4601C3A73393B7812697EEBC470295A28324BE2C7BB2AD87F83CEA4287B8E4067F862CED17CE96FCA34E48DAF86C6702B5509496EC21B39B331FA33569D9DE7D720D24CE2FD68D05D58B
2026-01-16 13:21:24.152971 ike V=root:0:du_udp_ncss_AA:8651: sent IKE msg (AUTH_RESPONSE): <fgt_dialup_ip>:4500-><client_source_ip>:36765, len=128, vrf=0, id=de37eacc2ea2bcf0/09c63759ca9ce4c1:00000001, oif=22
2026-01-16 13:21:24.160713 ike V=root:0: comes <client_source_ip>:36765-><fgt_dialup_ip>:4500,ifindex=22,vrf=0,len=100....
2026-01-16 13:21:24.160724 ike V=root:0: IKEv2 exchange=AUTH id=de37eacc2ea2bcf0/09c63759ca9ce4c1:00000002 len=96
2026-01-16 13:21:24.160735 ike 0: in DE37EACC2EA2BCF009C63759CA9CE4C12E202308000000020000006030000044DAF46CC92B7C884CCFF81191BBC86F4A0CBB8114EDE224EF12AABFFB81E721DACF1CB7A48D4EDE550A720688DE473DA3F9EDB6075272BE1BD9CE2656A2AA69C0
2026-01-16 13:21:24.160745 ike V=root:0:du_udp_ncss_AA: HA state master(2)
2026-01-16 13:21:24.160756 ike 0:du_udp_ncss_AA:8651: dec DE37EACC2EA2BCF009C63759CA9CE4C12E2023080000000200000037300000040000001702AF00130173746566616E7363686575726572
2026-01-16 13:21:24.160764 ike V=root:0:du_udp_ncss_AA:8651: responder received EAP msg
2026-01-16 13:21:24.160770 ike V=root:0:du_udp_ncss_AA:8651: send EAP message to FNBAM
2026-01-16 13:21:24.160776 ike V=root:0:du_udp_ncss_AA:8651: initiating EAP authentication
2026-01-16 13:21:24.160786 ike V=root:0:du_udp_ncss_AA: EAP user "<username>"
2026-01-16 13:21:24.160815 ike V=root:0:du_udp_ncss_AA: EAP 13121148985352 pending
2026-01-16 13:21:24.211791 ike V=root:0:du_udp_ncss_AA:8651 EAP 13121148985352 result FNBAM_CHALLENGED
2026-01-16 13:21:24.211806 ike V=root:0:du_udp_ncss_AA: EAP challenged for user "<username>"
2026-01-16 13:21:24.211815 ike V=root:0:du_udp_ncss_AA:8651: responder preparing EAP pass through message
2026-01-16 13:21:24.211825 ike 0:du_udp_ncss_AA:8651: enc 0000000A01B000061920050403020105
2026-01-16 13:21:24.211842 ike 0:du_udp_ncss_AA:8651: out DE37EACC2EA2BCF009C63759CA9CE4C12E202320000000020000005030000034DA649C97174889ADE6C06654415AC6D47B3E81B2C6D051482785FAF6483E3222A48ABDB2282A53C3CC662CFA32400951
2026-01-16 13:21:24.211862 ike V=root:0:du_udp_ncss_AA:8651: sent IKE msg (AUTH_RESPONSE): <fgt_dialup_ip>:4500-><client_source_ip>:36765, len=80, vrf=0, id=de37eacc2ea2bcf0/09c63759ca9ce4c1:00000002, oif=22
2026-01-16 13:21:24.219715 ike V=root:0: comes <client_source_ip>:36765-><fgt_dialup_ip>:4500,ifindex=22,vrf=0,len=84....
2026-01-16 13:21:24.219726 ike V=root:0: IKEv2 exchange=AUTH id=de37eacc2ea2bcf0/09c63759ca9ce4c1:00000003 len=80
2026-01-16 13:21:24.219734 ike 0: in DE37EACC2EA2BCF009C63759CA9CE4C12E202308000000030000005030000034F3B2D704E741B0AAEC1A1EDC9C6531AD8F9F3ABA51E4B2C9D646B5296B722717E4BE9476C50D69062C1E292D4B0D6DBB
2026-01-16 13:21:24.219741 ike V=root:0:du_udp_ncss_AA: HA state master(2)
2026-01-16 13:21:24.219754 ike 0:du_udp_ncss_AA:8651: dec DE37EACC2EA2BCF009C63759CA9CE4C12E202308000000030000002B300000040000000B02B00007031A06
2026-01-16 13:21:24.219761 ike V=root:0:du_udp_ncss_AA:8651: responder received EAP msg
2026-01-16 13:21:24.219766 ike V=root:0:du_udp_ncss_AA:8651: send EAP message to FNBAM
2026-01-16 13:21:24.219779 ike V=root:0:du_udp_ncss_AA: EAP 13121148985352 pending
2026-01-16 13:21:24.220758 ike V=root:0:du_udp_ncss_AA:8651 EAP 13121148985352 result FNBAM_CHALLENGED
2026-01-16 13:21:24.220771 ike V=root:0:du_udp_ncss_AA: EAP challenged for user "<username>"
2026-01-16 13:21:24.220779 ike V=root:0:du_udp_ncss_AA:8651: responder preparing EAP pass through message
2026-01-16 13:21:24.220786 ike 0:du_udp_ncss_AA:8651: enc 0000002F01B1002B1A01B1002610DC51B48D4A589D71974CEFB676AD59C9667265657261646975732D332E302E323600
2026-01-16 13:21:24.220801 ike 0:du_udp_ncss_AA:8651: out DE37EACC2EA2BCF009C63759CA9CE4C12E2023200000000300000070300000541FF28215C4789243C377DE77C9E15A75759362D989635F62F5C988CFD4E90B4D61ADD979494B61D66F3B8BAE11B38EFA66C13B471D7E54F2B4CDAA8BDC788B933BC7F151283187BC060C3DBAF1A60E0D
2026-01-16 13:21:24.220818 ike V=root:0:du_udp_ncss_AA:8651: sent IKE msg (AUTH_RESPONSE): <fgt_dialup_ip>:4500-><client_source_ip>:36765, len=112, vrf=0, id=de37eacc2ea2bcf0/09c63759ca9ce4c1:00000003, oif=22
2026-01-16 13:21:24.230720 ike V=root:0: comes <client_source_ip>:36765-><fgt_dialup_ip>:4500,ifindex=22,vrf=0,len=148....
2026-01-16 13:21:24.230731 ike V=root:0: IKEv2 exchange=AUTH id=de37eacc2ea2bcf0/09c63759ca9ce4c1:00000004 len=144
2026-01-16 13:21:24.230739 ike 0: in DE37EACC2EA2BCF009C63759CA9CE4C12E202308000000040000009030000074A0C7728B37F7EFE6A3A480F47D1EF6E6CD5265686D006D41CBB580B59D931F04A34495A1D2AC60E2C5FDACF50771B15957BC705D8A34BD798589E373A348F30A983B8F43492FDA36313AFFD0199F97185EE9EF48A5D4E443D551612F45B43B9F347D2BCB41A23CC7AC783779D1E42462
2026-01-16 13:21:24.230747 ike V=root:0:du_udp_ncss_AA: HA state master(2)
2026-01-16 13:21:24.230760 ike 0:du_udp_ncss_AA:8651: dec DE37EACC2EA2BCF009C63759CA9CE4C12E202308000000040000006D300000040000004D02B100491A02B1004431454C091BE8CCC0FD8436A18AA24A814F00000000000000009E3724C502439B56213DD104FB69BFAA442DFB609C2823AD0073746566616E7363686575726572
2026-01-16 13:21:24.230772 ike V=root:0:du_udp_ncss_AA:8651: responder received EAP msg
2026-01-16 13:21:24.230778 ike V=root:0:du_udp_ncss_AA:8651: send EAP message to FNBAM
2026-01-16 13:21:24.230785 ike V=root:0:du_udp_ncss_AA: EAP 13121148985352 pending
2026-01-16 13:21:25.237597 ike V=root:0:du_udp_ncss_AA:8651 EAP 13121148985352 result FNBAM_DENIED
2026-01-16 13:21:25.237618 ike V=root:0:du_udp_ncss_AA: EAP failed for user "<username>"
2026-01-16 13:21:25.237642 ike V=root:0:du_udp_ncss_AA:8651: responder preparing EAP pass through message
2026-01-16 13:21:25.237654 ike 0:du_udp_ncss_AA:8651: enc 0000000804B100040706050403020107
2026-01-16 13:21:25.237680 ike 0:du_udp_ncss_AA:8651: out DE37EACC2EA2BCF009C63759CA9CE4C12E202320000000040000005030000034E705B9D61180EFFA81671532271F74130C0D70FD78C713BC0EB5D909AE66DDB1B2AF5BA0AEABC100F9AEC63CFDCBDF7D
2026-01-16 13:21:25.237700 ike V=root:0:du_udp_ncss_AA:8651: sent IKE msg (AUTH_RESPONSE): <fgt_dialup_ip>:4500-><client_source_ip>:36765, len=80, vrf=0, id=de37eacc2ea2bcf0/09c63759ca9ce4c1:00000004, oif=22
2026-01-16 13:21:25.237711 ike V=root:0:du_udp_ncss_AA: connection expiring due to EAP failure
2026-01-16 13:21:25.237720 ike V=root:0:du_udp_ncss_AA: going to be deleted
2026-01-16 13:21:29.620357 ike :shrank heap by 331776 bytes

 

diagnose debug reset

diagnose debug console timestamp enable
diagnose debug app fnbamd -1
diagnose debug enable



fgt200g_749 $
fgt200g_749 $ 2026-01-16 12:51:07 [1774] handle_req-Rcvd auth req 13121148985349 for <username> in <user_group> opt=00000000 prot=7 svc=9
2026-01-16 12:51:07 [336] __compose_group_list_from_req-Group '<user_group>', type 1
2026-01-16 12:51:07 [511] create_auth_session-Session created for req id 13121148985349
2026-01-16 12:51:07 [595] fnbamd_cfg_get_tac_plus_list-
2026-01-16 12:51:07 [550] __fnbamd_cfg_get_tac_plus_list_by_group-
2026-01-16 12:51:07 [562] __fnbamd_cfg_get_tac_plus_list_by_group-Group '<user_group>'
2026-01-16 12:51:07 [611] fnbamd_cfg_get_tac_plus_list-Total tac+ servers to try: 0
2026-01-16 12:51:07 [840] fnbamd_cfg_get_ldap_list-
2026-01-16 12:51:07 [756] __fnbamd_cfg_get_ldap_list_by_group-
2026-01-16 12:51:07 [856] fnbamd_cfg_get_ldap_list-Total LDAP servers to try: 0
2026-01-16 12:51:07 [416] ldap_start-Didn't find ldap servers
2026-01-16 12:51:07 [316] radius_start-eap_local=0
2026-01-16 12:51:07 [890] fnbamd_cfg_get_radius_list-
2026-01-16 12:51:07 [838] __fnbamd_cfg_get_radius_list_by_group-
2026-01-16 12:51:07 [852] __fnbamd_cfg_get_radius_list_by_group-Group '<user_group>'
2026-01-16 12:51:07 [456] fnbamd_rad_get-vfid=0, name='<name_of_radiusserver>'
2026-01-16 12:51:07 [799] __rad_auth_ctx_insert-Loaded RADIUS server '<name_of_radiusserver>'
2026-01-16 12:51:07 [857] __fnbamd_cfg_get_radius_list_by_group-Loaded RADIUS server '<name_of_radiusserver>' for usergroup '<user_group>' (4)
2026-01-16 12:51:07 [812] __rad_auth_ctx_insert_all_usergroup-
2026-01-16 12:51:07 [912] fnbamd_cfg_get_radius_list-Total rad servers to try: 1
2026-01-16 12:51:07 [1019] fnbamd_cfg_radius_clear_reachability-Clearing RAD server reachability <name_of_radiusserver>:<FQDN_of_radiusserver>
2026-01-16 12:51:07 [930] fnbamd_rad_get_auth_server-
2026-01-16 12:51:07 [1269] fnbamd_rad_auth_ctx_init-User ha_relay? 0.
2026-01-16 12:51:07 [301] fnbamd_radius_get_next_auth_prot-Next auth prot EAP
2026-01-16 12:51:07 [115] fnbamd_dns_resolv_ex-DNS req ipv4 0x4e '<FQDN_of_radiusserver>', node 0x564f84f2a378
2026-01-16 12:51:07 [125] fnbamd_dns_resolv_ex-DNS req ipv6 0x204e '<FQDN_of_radiusserver>', node 0x564f84f2a378
2026-01-16 12:51:07 [137] fnbamd_dns_resolv_ex-DNS maintainer started.
2026-01-16 12:51:07 [1297] fnbamd_rad_auth_ctx_init-Start rad conn timer.
2026-01-16 12:51:07 [913] __rad_add_job_timer-
2026-01-16 12:51:07 [439] fnbamd_cfg_get_pop3_list-
2026-01-16 12:51:07 [417] __fnbamd_cfg_get_pop3_list_by_group-
2026-01-16 12:51:07 [422] __fnbamd_cfg_get_pop3_list_by_group-Group '<user_group>'
2026-01-16 12:51:07 [449] fnbamd_cfg_get_pop3_list-Total pop3 servers to try: 0
2026-01-16 12:51:07 [437] start_remote_auth-Total 1 server(s) to try
2026-01-16 12:51:07 [1917] handle_req-r=4
2026-01-16 12:51:07 [248] fnbamd_dns_parse_resp-got IPv4 DNS reply, req-id=0x4e
2026-01-16 12:51:07 [310] fnbamd_dns_parse_resp-req 0x4e: 10.206.0.45
2026-01-16 12:51:07 [1239] __fnbamd_rad_dns_cb-Resolved <name_of_radiusserver>:<FQDN_of_radiusserver> to 10.206.0.45, cur stack size:-1
2026-01-16 12:51:07 [1198] __auth_ctx_svr_push-Added addr 10.206.0.45:2083 from rad '<name_of_radiusserver>'
2026-01-16 12:51:07 [1244] __fnbamd_rad_dns_cb-All IP address are received, ready to start the connection
2026-01-16 12:51:07 [1021] __fnbamd_rad_get_next_addr-Next available address of rad '<name_of_radiusserver>': 10.206.0.45:2083.
2026-01-16 12:51:07 [1216] __auth_ctx_start-Connection starts <name_of_radiusserver>:<FQDN_of_radiusserver>, addr 10.206.0.45:2083 proto: TCP over TLS
2026-01-16 12:51:07 [578] __rad_tcps_open-vfid 0, addr 10.206.0.45, src_ip , ssl_opt 1284, use_ha_relay 0
2026-01-16 12:51:07 [1175] fnbamd_socket_update_interface-vfid is 0, intf mode is 0, intf name is , server address is 10.206.0.45:2083, source address is null, protocol number is 6, oif id is 0
2026-01-16 12:51:07 [601] __rad_tcps_open-oif=0, intf_sel.mode=0, intf_sel.name=
2026-01-16 12:51:07 [618] __rad_tcps_open-Server identity check is enabled.
2026-01-16 12:51:07 [636] __rad_tcps_open-Still connecting 10.206.0.45.
2026-01-16 12:51:07 [653] __rad_tcps_open-Start rad conn timer.
2026-01-16 12:51:07 [1036] __rad_conn_start-Socket 12 is created for rad '<name_of_radiusserver>'.
2026-01-16 12:51:07 [248] fnbamd_dns_parse_resp-got IPv6 DNS reply, req-id=0x204e
2026-01-16 12:51:07 [268] fnbamd_dns_parse_resp-req 0x4e: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
2026-01-16 12:51:07 [35] __fnbamd_dns_req_del-DNS req 0x4e (0x564f84f2a378) is removed. Current total: 2
2026-01-16 12:51:07 [47] __fnbamd_dns_req_del-DNS maintainer stopped.
2026-01-16 12:51:07 [1239] __fnbamd_rad_dns_cb-Resolved <name_of_radiusserver>:<FQDN_of_radiusserver> to ::, cur stack size:0
2026-01-16 12:51:07 [1204] __auth_ctx_svr_push-Failed to add addr <FQDN_of_radiusserver> from rad '<name_of_radiusserver>'
2026-01-16 12:51:07 [566] __rad_tcps_connect-Start rad conn timer.
[...] same message as above
2026-01-16 12:51:07 [566] __rad_tcps_connect-Start rad conn timer.
2026-01-16 12:51:07 [1689] __verify_cb-Cert preverify ok. Depth 1. Subject '<data>'
2026-01-16 12:51:07 [1689] __verify_cb-Cert preverify ok. Depth 0. Subject '<data>'
2026-01-16 12:51:07 [544] __rad_tcps_connect-tcps_connect(10.206.0.45) is established.
2026-01-16 12:51:07 [566] __rad_tcps_connect-Start rad conn timer.
2026-01-16 12:51:07 [934] __rad_rxtx-fd 12, state 1(Auth)
2026-01-16 12:51:07 [936] __rad_rxtx-Stop rad conn timer.
2026-01-16 12:51:07 [943] __rad_rxtx-
2026-01-16 12:51:07 [612] fnbamd_rad_make_access_request-
2026-01-16 12:51:07 [334] __create_access_request-Compose RADIUS request
2026-01-16 12:51:07 fnbamd_dbg_hex_pnt[49] EAP msg from client (19)-02 EF 00 13 01 73 74 65 66 61 6E 73 63 68 65 75 72 65 72
2026-01-16 12:51:07 [595] __create_access_request-Created RADIUS Access-Request. Len: 174.
2026-01-16 12:51:07 [739] __rad_tcps_send-Sent 174/174.
2026-01-16 12:51:07 [741] __rad_tcps_send-Sent all. Total 174.
2026-01-16 12:51:07 [965] __rad_rxtx-Sent radius req to server '<name_of_radiusserver>': fd=12, IP=<FQDN_of_radiusserver>(10.206.0.45:2083) code=1 id=172 len=174
2026-01-16 12:51:07 [974] __rad_rxtx-Start rad conn timer.
2026-01-16 12:51:07 [934] __rad_rxtx-fd 12, state 1(Auth)
2026-01-16 12:51:07 [936] __rad_rxtx-Stop rad conn timer.
2026-01-16 12:51:07 [977] __rad_rxtx-
2026-01-16 12:51:07 [788] __rad_tcps_recv-Rcvd 64.
2026-01-16 12:51:07 [803] __rad_tcps_recv-Expected 64 bytes.
2026-01-16 12:51:07 [817] __rad_tcps_recv-Received all. Total 64.
2026-01-16 12:51:07 [1133] __rad_chk_resp_authenticator-The Message Authenticator validation is mandatory now
2026-01-16 12:51:07 [1156] __rad_chk_resp_authenticator-ret=0
2026-01-16 12:51:07 [1231] fnbamd_rad_validate_pkt-RADIUS resp code 11
2026-01-16 12:51:07 [1003] __rad_rxtx-
2026-01-16 12:51:07 [1301] fnbamd_rad_process-Result from radius svr '<name_of_radiusserver>' is 2, req 13121148985349
2026-01-16 12:51:07 fnbamd_dbg_hex_pnt[49] EAP msg from server (6)-01 F0 00 06 19 20
2026-01-16 12:51:07 [1503] fnbamd_rad_process-Challenged: 1, FTK_Challenge: 0, CHG_PWD: 0, Invaid_Digest: 0, No_Message_Authenticator_Attr: 0, State_Len: 16
2026-01-16 12:51:07 [239] fnbamd_comm_send_result-Sending result 2 (nid 0) for req 13121148985349, len=6694
2026-01-16 12:51:07 [1348] fnbamd_rad_pause-Pausing <name_of_radiusserver>:10.206.0.45.
2026-01-16 12:51:07 [1352] fnbamd_rad_pause-Stop rad conn timer.
2026-01-16 12:51:07 [890] __rad_del_job_timer-
2026-01-16 12:51:07 [1276] freeze_auth_session-
2026-01-16 12:51:07 [2353] handle_req-Rcvd chal rsp for req 13121148985349
2026-01-16 12:51:07 [1293] unfreeze_auth_session-
2026-01-16 12:51:07 [1056] fnbamd_auth_send_chal_rsp-svr_type=2, idx=0
2026-01-16 12:51:07 [1874] fnbamd_ldaps_destroy-
2026-01-16 12:51:07 [1048] fnbamd_tacs_destroy-
2026-01-16 12:51:07 [1427] fnbamd_rads_resume-
2026-01-16 12:51:07 [1389] fnbamd_rad_resume-<name_of_radiusserver>:<FQDN_of_radiusserver>, addr 10.206.0.45
2026-01-16 12:51:07 [1412] fnbamd_rad_resume-state 2.
2026-01-16 12:51:07 [913] __rad_add_job_timer-
2026-01-16 12:51:07 [934] __rad_rxtx-fd 12, state 2(Challenged)
2026-01-16 12:51:07 [936] __rad_rxtx-Stop rad conn timer.
2026-01-16 12:51:07 [943] __rad_rxtx-
2026-01-16 12:51:07 [684] fnbamd_rad_make_chal_request-
2026-01-16 12:51:07 [334] __create_access_request-Compose RADIUS request
2026-01-16 12:51:07 fnbamd_dbg_hex_pnt[49] EAP msg from client (7)-02 F0 00 07 03 1A 06
2026-01-16 12:51:07 [595] __create_access_request-Created RADIUS Access-Request. Len: 180.
2026-01-16 12:51:07 [739] __rad_tcps_send-Sent 180/180.
2026-01-16 12:51:07 [741] __rad_tcps_send-Sent all. Total 180.
2026-01-16 12:51:07 [965] __rad_rxtx-Sent radius req to server '<name_of_radiusserver>': fd=12, IP=<FQDN_of_radiusserver>(10.206.0.45:2083) code=1 id=173 len=180
2026-01-16 12:51:07 [974] __rad_rxtx-Start rad conn timer.
2026-01-16 12:51:07 [934] __rad_rxtx-fd 12, state 2(Challenged)
2026-01-16 12:51:07 [936] __rad_rxtx-Stop rad conn timer.
2026-01-16 12:51:07 [977] __rad_rxtx-
2026-01-16 12:51:07 [788] __rad_tcps_recv-Rcvd 73.
2026-01-16 12:51:07 [803] __rad_tcps_recv-Expected 73 bytes.
2026-01-16 12:51:07 [817] __rad_tcps_recv-Received all. Total 73.
2026-01-16 12:51:07 [1133] __rad_chk_resp_authenticator-The Message Authenticator validation is mandatory now
2026-01-16 12:51:07 [1156] __rad_chk_resp_authenticator-ret=0
2026-01-16 12:51:07 [1231] fnbamd_rad_validate_pkt-RADIUS resp code 11
2026-01-16 12:51:07 [1003] __rad_rxtx-
2026-01-16 12:51:07 [1301] fnbamd_rad_process-Result from radius svr '<name_of_radiusserver>' is 2, req 13121148985349
2026-01-16 12:51:07 fnbamd_dbg_hex_pnt[49] EAP msg from server (15)-01 F1 00 0F 06 50 61 73 73 77 6F 72 64 3A 20
2026-01-16 12:51:07 [1503] fnbamd_rad_process-Challenged: 1, FTK_Challenge: 0, CHG_PWD: 0, Invaid_Digest: 0, No_Message_Authenticator_Attr: 0, State_Len: 16
2026-01-16 12:51:07 [239] fnbamd_comm_send_result-Sending result 2 (nid 0) for req 13121148985349, len=6703
2026-01-16 12:51:07 [1348] fnbamd_rad_pause-Pausing <name_of_radiusserver>:10.206.0.45.
2026-01-16 12:51:07 [1352] fnbamd_rad_pause-Stop rad conn timer.
2026-01-16 12:51:07 [890] __rad_del_job_timer-
2026-01-16 12:51:07 [1276] freeze_auth_session-
2026-01-16 12:51:07 [2353] handle_req-Rcvd chal rsp for req 13121148985349
2026-01-16 12:51:07 [1293] unfreeze_auth_session-
2026-01-16 12:51:07 [1056] fnbamd_auth_send_chal_rsp-svr_type=2, idx=0
2026-01-16 12:51:07 [1874] fnbamd_ldaps_destroy-
2026-01-16 12:51:07 [1048] fnbamd_tacs_destroy-
2026-01-16 12:51:07 [1427] fnbamd_rads_resume-
2026-01-16 12:51:07 [1389] fnbamd_rad_resume-<name_of_radiusserver>:<FQDN_of_radiusserver>, addr 10.206.0.45
2026-01-16 12:51:07 [1412] fnbamd_rad_resume-state 2.
2026-01-16 12:51:07 [913] __rad_add_job_timer-
2026-01-16 12:51:07 [934] __rad_rxtx-fd 12, state 2(Challenged)
2026-01-16 12:51:07 [936] __rad_rxtx-Stop rad conn timer.
2026-01-16 12:51:07 [943] __rad_rxtx-
2026-01-16 12:51:07 [684] fnbamd_rad_make_chal_request-
2026-01-16 12:51:07 [334] __create_access_request-Compose RADIUS request
2026-01-16 12:51:07 fnbamd_dbg_hex_pnt[49] EAP msg from client (31)-02 F1 00 1F 06 73 72 35 45 53 78 33 39 57 48 33 36 31 43 36 57 4E 36 61 75 58 45 6D 37 35 37
2026-01-16 12:51:07 [595] __create_access_request-Created RADIUS Access-Request. Len: 204.
2026-01-16 12:51:07 [739] __rad_tcps_send-Sent 204/204.
2026-01-16 12:51:07 [741] __rad_tcps_send-Sent all. Total 204.
2026-01-16 12:51:07 [965] __rad_rxtx-Sent radius req to server '<name_of_radiusserver>': fd=12, IP=<FQDN_of_radiusserver>(10.206.0.45:2083) code=1 id=174 len=204
2026-01-16 12:51:07 [974] __rad_rxtx-Start rad conn timer.
2026-01-16 12:51:08 [934] __rad_rxtx-fd 12, state 2(Challenged)
2026-01-16 12:51:08 [936] __rad_rxtx-Stop rad conn timer.
2026-01-16 12:51:08 [977] __rad_rxtx-
2026-01-16 12:51:08 [788] __rad_tcps_recv-Rcvd 44.
2026-01-16 12:51:08 [803] __rad_tcps_recv-Expected 44 bytes.
2026-01-16 12:51:08 [817] __rad_tcps_recv-Received all. Total 44.
2026-01-16 12:51:08 [1133] __rad_chk_resp_authenticator-The Message Authenticator validation is mandatory now
2026-01-16 12:51:08 [1156] __rad_chk_resp_authenticator-ret=0
2026-01-16 12:51:08 [1231] fnbamd_rad_validate_pkt-RADIUS resp code 3
2026-01-16 12:51:08 [1119] __rad_error-Ret 1, st = 2.
2026-01-16 12:51:08 [301] fnbamd_radius_get_next_auth_prot-Next auth prot ??
2026-01-16 12:51:08 [1168] __rad_error-
2026-01-16 12:51:08 [663] __rad_tcps_close-closed.
2026-01-16 12:51:08 [1055] __rad_conn_stop-Stop rad conn timer.
2026-01-16 12:51:08 [1301] fnbamd_rad_process-Result from radius svr '<name_of_radiusserver>' is 1, req 13121148985349
2026-01-16 12:51:08 fnbamd_dbg_hex_pnt[49] EAP msg from server (4)-04 F1 00 04
2026-01-16 12:51:08 [1503] fnbamd_rad_process-Challenged: 0, FTK_Challenge: 0, CHG_PWD: 0, Invaid_Digest: 0, No_Message_Authenticator_Attr: 0, State_Len: 0
2026-01-16 12:51:08 [890] update_auth_token_session-mfa_mandatory is off, only success results may require 2fa
2026-01-16 12:51:08 [239] fnbamd_comm_send_result-Sending result 1 (nid 0) for req 13121148985349, len=6692
2026-01-16 12:51:08 [603] destroy_auth_session-delete session 13121148985349
2026-01-16 12:51:08 [1436] fnbamd_rad_stop-
2026-01-16 12:51:08 [1060] __rad_stop-
2026-01-16 12:51:08 [1055] __rad_conn_stop-Stop rad conn timer.
2026-01-16 12:51:08 [890] __rad_del_job_timer-
2026-01-16 12:51:08 [1444] fnbamd_rads_destroy-
2026-01-16 12:51:08 [516] fnbamd_rad_auth_ctx_free-Freeing '<name_of_radiusserver>' ctx
2026-01-16 12:51:08 [1316] fnbamd_rad_auth_ctx_uninit-
2026-01-16 12:51:08 [1060] __rad_stop-
2026-01-16 12:51:08 [1055] __rad_conn_stop-Stop rad conn timer.
2026-01-16 12:51:08 [364] fnbamd_rad_free-Freeing <name_of_radiusserver>, ref:2
2026-01-16 12:51:08 [41] __rad_server_free-Freeing <FQDN_of_radiusserver>, ref:2
2026-01-16 12:51:08 [519] fnbamd_rad_auth_ctx_free-
2026-01-16 12:51:08 [1447] fnbamd_rads_destroy-
2026-01-16 12:51:08 [1874] fnbamd_ldaps_destroy-
2026-01-16 12:51:08 [1048] fnbamd_tacs_destroy-
2026-01-16 12:51:08 [910] fnbamd_pop3s_destroy-
2026-01-16 12:51:08 [1078] fnbamd_ext_idps_destroy-
2026-01-16 12:51:08 [2383] handle_req-Rcvd abort req for 13121148985349
2026-01-16 12:51:08 [2398] handle_req-Can't abort, no active req 13121148985349

 

Fri Jan 16 13:01:44 2026	information	Authentication	EAP Login	Failed		EAP-GTC login failed by <username> from <client_source_ip>
Fri Jan 16 13:01:44 2026	information	Authentication	Authentication	Failed		802.1x authentication failed
Fri Jan 16 13:01:44 2026	information	Authentication				Local administrator authentication from <client_source_ip> with FortiToken failed: invalid token
Fri Jan 16 13:01:44 2026	information	Authentication	EAP Login	Start		EAP session start from <client_source_ip>
Labels:
68
0 Kudos
1 REPLY 1
joshbergm
New Contributor III

Created on ‎01-16-2026 04:48 AM Edited on ‎01-16-2026 04:48 AM

Hi!

This is my working configuration with local accounts.

RADIUS should work fine too, I think...

 

conf vpn ipsec phase1-interface

edit <name>
        set type dynamic
        set interface <wan interface>
        set ike-version 2
        set peertype one
        set net-device disable
        set mode-cfg enable
        set internal-domain-list <domain>
        set proposal aes256-sha256
        set localid <localid>
        set dhgrp 16
        set eap enable
        set eap-identity send-request
        set fec-egress enable
        set fec-codec rs
        set fec-ingress enable
        set peerid <peerid>
        set ipv4-start-ip <startip>
        set ipv4-end-ip <endip>
        set ipv4-netmask <mask>
        set dns-mode auto
        set save-password enable
        set client-auto-negotiate enable
        set client-keep-alive enable
        set psksecret <secret>
        set dpd-retryinterval 60

 

59
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.