EAP connection failure (FNBAM_DENIED) - Ipsec Dialup Vpn with DUO - Phase1 failure

Maerre · ‎09-18-2025

Hello,

i'm stuck in creating an Ipsec dialup vpn ikev2 with cisco DUO.

During the Phase1 negotiation i see errors on the EAP failing negotiation, following the screenshot directly from the firewall gui and the log taken from cli.

I double checked all the settings, configured even the following for EAP:

set eap enable
set eap-identity send-request
set acct-verify enable

But i'm still facing "FNBAM_DENIED" followed by the "connection expiring due to EAP failure", what am i missing and should do?

My radius is DUO_MFA with ip 192.168.20.125

105.94.83.72 is the remote ip and 25.36.47.58 is my public ip

john.week is my user

Fw version is 7.4.7

Forticlient version is 7.4.3 and 7.4.0.1658

VPN

FWISDB (Vpn) # ike V=internet:accepts ike tcp-transport(vd=1, vrf=0, intf=0:55, 88.51.233.52:4500->157.245.243.118:36001 sock=0 refcnt=2 ph1=(nil)) (53).
ike V=internet:Wrong IKETCP prefix(OPTION)
ike V=Vpn:5: comes 25.36.47.58:500->105.94.83.72:500,ifindex=150,vrf=0,len=396....
ike V=Vpn:5: IKEv2 exchange=SA_INIT id=a679ff7c2cab8abb/0000000000000000 len=396
id=65308 trace_id=313 func=print_pkt_detail line=5932 msg="vd-internet:0 received a packet(proto=17, 25.36.47.58:500->105.94.83.72:500) tun_id=0.0.0.0 from port2.119. "
ike 5: in A679FF7C2CAB8ABB000000000000000021202208000000000000018C2200005C0200002C010100040300000C0100000C800E01000300000802000005030000080300000C00000008040000150000002C020100040300000C0100000C800E01000300000802000005030000080300000C00000008040000152800008C0015000000E4CC780DC97D0547E74A8E06E8606D37EDEE58632C17889F870C461F3E5FE04787B5875C3E82A50FC9686A288E74D04036AB56C647303D2F35C5F9F1A787A7A6E900853659937CEC3EAB10DB7BE254D92D040B240B3675224AFBFA491205F166A64E7002504210912B53B8206B97AF75EC8A7BA21129B91D2CBB6EFFBB2A2C219227CC2B000014CD075AE1AADC033DDD8EDF23FDE046262B0000144C53427B6D465D1B337BB755A37A7FEF2B000014B4F01CA951E9DA8D0BAFBBD34AD3044E29000014C1DC4350476B98A429B91781914CA43E2900001C00004004F1B7EE5837C14829CD49CC892F4B1B312CA8A9330000001C000040055898BF678740B5D67A580EE96937A7099765063B
id=65308 trace_id=313 func=resolve_ip_tuple_fast line=6027 msg="Find an existing session, id-9857a0dd, original direction"
ike V=Vpn:5:a679ff7c2cab8abb/0000000000000000:26409: responder received SA_INIT msg
ike V=Vpn:5:a679ff7c2cab8abb/0000000000000000:26409: VID forticlient connect license 4C53427B6D465D1B337BB755A37A7FEF
id=65308 trace_id=313 func=ipv4_fast_cb line=53 msg="enter fast path"
ike V=Vpn:5:a679ff7c2cab8abb/0000000000000000:26409: VID Fortinet Endpoint Control B4F01CA951E9DA8D0BAFBBD34AD3044E
ike V=Vpn:5:a679ff7c2cab8abb/0000000000000000:26409: VID Forticlient EAP Extension C1DC4350476B98A429B91781914CA43E
ike V=Vpn:5:a679ff7c2cab8abb/0000000000000000:26409: received notify type NAT_DETECTION_SOURCE_IP
id=65308 trace_id=314 func=print_pkt_detail line=5932 msg="vd-Vpn:0 received a packet(proto=17, 25.36.47.58:500->105.94.83.72:500) tun_id=0.0.0.0 from PTP-VPN1. "
ike V=Vpn:5:a679ff7c2cab8abb/0000000000000000:26409: received notify type NAT_DETECTION_DESTINATION_IP
ike V=Vpn:5:a679ff7c2cab8abb/0000000000000000:26409: incoming proposal:
id=65308 trace_id=314 func=resolve_ip_tuple_fast line=6027 msg="Find an existing session, id-9857a0de, original direction"
ike V=Vpn:5:a679ff7c2cab8abb/0000000000000000:26409: proposal id = 1:
ike V=Vpn:5:a679ff7c2cab8abb/0000000000000000:26409: protocol = IKEv2:
ike V=Vpn:5:a679ff7c2cab8abb/0000000000000000:26409: encapsulation = IKEv2/none
ike V=Vpn:5:a679ff7c2cab8abb/0000000000000000:26409: type=ENCR, val=AES_CBC (key_len = 256)
ike V=Vpn:5:a679ff7c2cab8abb/0000000000000000:26409: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike V=Vpn:5:a679ff7c2cab8abb/0000000000000000:26409: type=PRF, val=PRF_HMAC_SHA2_256
ike V=Vpn:5:a679ff7c2cab8abb/0000000000000000:26409: type=DH_GROUP, val=ECP521.
ike V=Vpn:5:a679ff7c2cab8abb/0000000000000000:26409: proposal id = 2:
ike V=Vpn:5:a679ff7c2cab8abb/0000000000000000:26409: protocol = IKEv2:
ike V=Vpn:5:a679ff7c2cab8abb/0000000000000000:26409: encapsulation = IKEv2/none
ike V=Vpn:5:a679ff7c2cab8abb/0000000000000000:26409: type=ENCR, val=AES_CBC (key_len = 256)
ike V=Vpn:5:a679ff7c2cab8abb/0000000000000000:26409: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike V=Vpn:5:a679ff7c2cab8abb/0000000000000000:26409: type=PRF, val=PRF_HMAC_SHA2_256
ike V=Vpn:5:a679ff7c2cab8abb/0000000000000000:26409: type=DH_GROUP, val=ECP521.
ike V=Vpn:5:a679ff7c2cab8abb/0000000000000000:26409: matched proposal id 1
ike V=Vpn:5:a679ff7c2cab8abb/0000000000000000:26409: proposal id = 1:
ike V=Vpn:5:a679ff7c2cab8abb/0000000000000000:26409: protocol = IKEv2:
ike V=Vpn:5:a679ff7c2cab8abb/0000000000000000:26409: encapsulation = IKEv2/none
ike V=Vpn:5:a679ff7c2cab8abb/0000000000000000:26409: type=ENCR, val=AES_CBC (key_len = 256)
ike V=Vpn:5:a679ff7c2cab8abb/0000000000000000:26409: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike V=Vpn:5:a679ff7c2cab8abb/0000000000000000:26409: type=PRF, val=PRF_HMAC_SHA2_256
ike V=Vpn:5:a679ff7c2cab8abb/0000000000000000:26409: type=DH_GROUP, val=ECP521.
ike V=Vpn:5:a679ff7c2cab8abb/0000000000000000:26409: lifetime=86400
ike V=Vpn:5:a679ff7c2cab8abb/0000000000000000:26409: SA proposal chosen, matched gateway Split
ike V=Vpn:5:Split:Split: created connection: 0xc4940d0 150 105.94.83.72->25.36.47.58:500.
ike V=Vpn:5:Split: HA start as master
ike V=Vpn:5:Split:26409: processing notify type NAT_DETECTION_SOURCE_IP
ike V=Vpn:5:Split:26409: processing NAT-D payload
ike V=Vpn:5:Split:26409: NAT detected: PEER
ike V=Vpn:5:Split:26409: process NAT-D
ike V=Vpn:5:Split:26409: processing notify type NAT_DETECTION_DESTINATION_IP
ike V=Vpn:5:Split:26409: processing NAT-D payload
ike V=Vpn:5:Split:26409: NAT detected: PEER
ike V=Vpn:5:Split:26409: process NAT-D
ike V=Vpn:5:Split:26409: FEC vendor ID received FEC but IP not set
ike 5:Split:26409: FCT EAP 2FA extension vendor ID received
ike V=Vpn:5:Split:26409: responder preparing SA_INIT msg
ike V=Vpn:5:Split:26409: generate DH public value request queued
ike V=Vpn:5:Split:26409: responder preparing SA_INIT msg
ike V=Vpn:5:Split:26409: compute DH shared secret request queued
ike V=Vpn:5:Split:26409: responder preparing SA_INIT msg
ike V=Vpn:5:Split:26409: create NAT-D hash local 105.94.83.72/500 remote 25.36.47.58/500
ike 5:Split:26409: out A679FF7C2CAB8ABBC199D61F0BBD9681212022200000000000000124220000300000002C010100040300000C0100000C800E01000300000802000005030000080300000C00000008040000152800008C00150000001C17B6FBCC3B2A1493552C76AEA0B64EEB3E655AB6C293A2382B24337475130027CB9C973247B1B3B78D60BA1527B874E92FF1B7475A2CF08FF82EA81FCEA37FE5012FFF85437F090DB0F9C890EB6C5D34D7EBCFAF4225EB0418FACAD71D5A6865A6FF7714E3A421E363CDF7A6FD5AE0D4D55AD35D22F0317530AB416E044CD14426F529000014AB1CA197C72E3413B043B80AECA0E9A62900001C00004004DD879B32B59704ED733BA40AB0A7DD7A9DBD9ED30000001C000040050FCDD27B1637BA679DC642A8E7215A4EDE108A0C
ike V=Vpn:5:Split:26409: sent IKE msg (SA_INIT_RESPONSE): 105.94.83.72:500->25.36.47.58:500, len=292, vrf=0, id=a679ff7c2cab8abb/c199d61f0bbd9681, oif=150
ike 5:Split:26409: IKE SA a679ff7c2cab8abb/c199d61f0bbd9681 SK_ei 32:B51AAD050FA3070A8B56D50067B46C4B42F0D5A8A50F9DC8AAD020970B9A7F3F
ike 5:Split:26409: IKE SA a679ff7c2cab8abb/c199d61f0bbd9681 SK_er 32:35B587AC6525162E424C842BC932791ED638D6A090EA3A2EF534121D0CADF413
ike 5:Split:26409: IKE SA a679ff7c2cab8abb/c199d61f0bbd9681 SK_ai 32:5A68679363A3A8076DF48003E836143271808E107D2571DDEBD2B8AE00E4F217
ike 5:Split:26409: IKE SA a679ff7c2cab8abb/c199d61f0bbd9681 SK_ar 32:E19C22C82A3BC0616929D77C148550B5B5A4F616324F5BA07688E79CE340BF0F
ike V=Vpn:5: comes 25.36.47.58:4500->105.94.83.72:4500,ifindex=150,vrf=0,len=628....
ike V=Vpn:5: IKEv2 exchange=AUTH id=a679ff7c2cab8abb/c199d61f0bbd9681:00000001 len=624
ike 5: in A679FF7C2CAB8ABBC199D61F0BBD96812E202308000000010000027023000254E90903F12EA272CDF144D8BF641B8EEEF964D444233D843A5EBF6A509D44AEAEE8166AB3BDDE2DD211D615047E3C11E913E81DFE00205BF705BA4179963CAE70D08B3E101DE991077911DC20D1E667EB50F8272B20A9E0AEB33C4C8D00B67E79E879C889BC97BBC9993F8F0F5BC6B8A1D45614CDC41D9774309493858CAB75BDFAF5E335071A6A81654B93C7D80F241C76C8D4971E52EA25921026CF8F23C691F25D9E5B5EAB50CAAF426856DA3A02B1475762E2AF58A36B9E71A8CDF7C7AC7FF4945859614887205E084001E37D6C2D352068B60D24E4309B12FE811B64D040CD7EA52BB3C1F01B974A7654C6FB75F975C4EADDC50135B4863E60EC9E473B2460205D9E83ACB742C939F0B7576A716CAB48BE4E61D0C462D8126218A10436FA7ED1864DFF70FA31B4E6474586FB1A1BE8E52C19C100C72CA228CA21A5A6D11C6F52C5EBF90D8AB206F99C1CB83BA66704A5F6813E8918F4069F7AD91E950D644D8F0EF7D904C65FE9802C613AD1AB31B252EB26A123573914E05BCA7AA0BF20ABAD646EB23D31C9B7A3C6D2FEB49DF991C836E3DA6DDA098BFD8609F6C9C179C0F564D67E2A6849952587454E2A54B9F98AA2FAE09F3B8F1B4334AACEF76D2FB56741C4CF516AA6E54DC4519E36670A9BA117D6A48EEC2904CCE552A1A824C310396AEC350F64CA692CEDF59127B52B38A9A3FED08D6F7402EBBE56A94CD4C89E3301B440C420304E5F15E5A5DFAE3A4C1FBC8B0EAD321689DA0E77B4F799E2AF69AF06AB9F5BECBCAD5D20EBC2CD1BAEB8569B4AB0ABC0AD6FFB9DD04E70CEE8D21C4CBA9D6EA9B41781161B3D506C
ike V=Vpn:5:Split: HA state master(2)
id=65308 trace_id=315 func=ipv4_fast_cb line=53 msg="enter fast path"
id=65308 trace_id=316 func=print_pkt_detail line=5932 msg="vd-Vpn:0 received a packet(proto=17, 25.36.47.58:4500->105.94.83.72:4500) tun_id=0.0.0.0 from PTP-VPN1. "
ike 5:Split:26409: dec A679FF7C2CAB8ABBC199D61F0BBD96812E202308000000010000024D230000042900000C01000000C0A8018B29000008000040002F00013D0000F1005645523D310A4643545645523D372E342E302E313635380A5549443D46314246424331464345353534374144414539383434433344453632324641390A49503D3139322E3136382E34332E310A4D41433D63302D34372D30652D32632D31312D37663B30302D30352D39612D33632D37612D30303B31342D34662D64372D63632D38612D36303B33302D65332D61342D61382D35362D39373B33302D65332D61342D61382D35362D39383B33322D65332D61342D61382D35362D39373B0A484F53543D4E54542D484E50305937340A555345523D6D6172636F2E72657363616C6C690A4F535645523D4D6963726F736F66742057696E646F777320313120456E74657270726973652045646974696F6E2C2036342D62697420286275696C64203236313030290A5245475F5354415455533D300A002100005801000000000700104643543830303232353437383736353400010000000200000003000000040000000D00000019000000080000000F0000000A0000000B000070010000540A0000540B000070000000001900002C0000540200002801030403716611520300000C0100000C800E0100030000080300000C00000008050000000000002802030403716611520300000C0100000C800E0100030000080300000C00000008050000002D00001801000000070000100000FFFF00000000FFFFFFFF0000001801000000070000100000FFFF00000000FFFFFFFF
id=65308 trace_id=316 func=resolve_ip_tuple_fast line=6027 msg="Find an existing session, id-9857a0e7, original direction"
ike V=Vpn:5:Split:26409: responder received AUTH msg
ike V=Vpn:5:Split:26409: processing notify type INITIAL_CONTACT
ike V=Vpn:5:Split:26409: processing notify type FORTICLIENT_CONNECT
ike V=Vpn:5:Split:26409: received FCT data len = 309, data = 'VER=1
FCTVER=7.4.0.1658
UID=F1BFBC1FCE5547ADAE9844C3DE622FA9
IP=192.168.43.1
MAC=c6-67-0e-7c-71-4c;10-05-3a-3c-1a-00;89-4f-y7-cc-8a-60;67-e3-u5-a8-56-67;77-e3-h7-a8-56-98;32-e3-a4-a8-56-97;
HOST=MYPC-HNR74
USER=john.week
OSVER=Microsoft Windows 11 Enterprise Edition, 64-bit (build 26100)
REG_STATUS=0
'
ike V=Vpn:5:Split:26409: received FCT-UID : F1BFBC1FCE5547ADAE9844C3DE622FA9
ike V=Vpn:5:Split:26409: received EMS SN :
ike V=Vpn:5:Split:26409: received EMS tenant ID :
ike V=Vpn:5:Split:26409: peer identifier IPV4_ADDR 192.168.1.139
ike V=Vpn:5:Split:26409: re-validate gw ID
ike V=Vpn:5:Split:26409: gw validation OK
ike V=Vpn:5:Split:26409: responder preparing EAP identity request
ike 5:Split:26409: enc 2700000C010000005833E90430000028020000006F3EBC7DB2B23F11252DDCC8AF91B6548387491FC0262C039612E85DE8D06DFF0000000901FC000501020102
ike V=Vpn:5:Split:26409: remote port change 500 -> 4500
ike 5:Split:26409: out A679FF7C2CAB8ABBC199D61F0BBD96812E2023200000000100000080240000648500E585281FF9D87A575377E51B2F916AF16D7F818CF175A3A9F62ED521C509884446940E28ABC4AB11BB08C7B975CD032B54AEF6EECD50BDEC4C5A027101CD4F5FE7ACC8D528AF4DEDB36E7ED9247CEDF5A5E9DAD01C57EAC8363A6D12A594
ike V=Vpn:5:Split:26409: sent IKE msg (AUTH_RESPONSE): 105.94.83.72:4500->25.36.47.58:4500, len=128, vrf=0, id=a679ff7c2cab8abb/c199d61f0bbd9681:00000001, oif=150
ike V=Vpn:5: comes 25.36.47.58:4500->105.94.83.72:4500,ifindex=150,vrf=0,len=100....
id=65308 trace_id=317 func=print_pkt_detail line=5932 msg="vd-internet:0 received a packet(proto=17, 25.36.47.58:4500->105.94.83.72:4500) tun_id=0.0.0.0 from port2.119. "
ike V=Vpn:5: IKEv2 exchange=AUTH id=a679ff7c2cab8abb/c199d61f0bbd9681:00000002 len=96
ike 5: in A679FF7C2CAB8ABBC199D61F0BBD96812E20230800000002000000603000004494AF04DC85ABF8C97F6B4EEA23E89997E69BF714B6271355F33A0B8F764365771BF5A3EE99ED1E7570ED419F1B825CA724F8B6BA67EED657C6E24E32BB0B72C2
ike V=Vpn:5:Split: HA state master(2)
id=65308 trace_id=317 func=resolve_ip_tuple_fast line=6027 msg="Find an existing session, id-9857a0e6, original direction"
ike 5:Split:26409: dec A679FF7C2CAB8ABBC199D61F0BBD96812E2023080000000200000037300000040000001702FC0013016D6172636F2E72657363616C6C69
id=65308 trace_id=317 func=ipv4_fast_cb line=53 msg="enter fast path"
id=65308 trace_id=318 func=print_pkt_detail line=5932 msg="vd-Vpn:0 received a packet(proto=17, 25.36.47.58:4500->105.94.83.72:4500) tun_id=0.0.0.0 from PTP-VPN1. "
id=65308 trace_id=318 func=resolve_ip_tuple_fast line=6027 msg="Find an existing session, id-9857a0e7, original direction"
ike V=Vpn:5:Split:26409: responder received EAP msg
ike V=Vpn:5:Split:26409: send EAP message to FNBAM
ike V=Vpn:5:Split:26409: initiating EAP authentication
ike V=Vpn:5:Split: EAP user "john.week"
ike V=Vpn:5:Split: auth group vpngroup
ike V=Vpn:5:Split: EAP 64459123495318 pending
[1757] handle_req-Rcvd auth req 64459123495318 for john.week in vpngroup opt=00000020 prot=7 svc=9
[333] __compose_group_list_from_req-Group 'vpngroup', type 1
[508] create_auth_session-Session created for req id 64459123495318
[590] fnbamd_cfg_get_tac_plus_list-
[545] __fnbamd_cfg_get_tac_plus_list_by_group-
[557] __fnbamd_cfg_get_tac_plus_list_by_group-Group 'vpngroup'
[606] fnbamd_cfg_get_tac_plus_list-Total tac+ servers to try: 0
[840] fnbamd_cfg_get_ldap_list-
[756] __fnbamd_cfg_get_ldap_list_by_group-
[856] fnbamd_cfg_get_ldap_list-Total LDAP servers to try: 0
[416] ldap_start-Didn't find ldap servers
[316] radius_start-eap_local=0
[896] fnbamd_cfg_get_radius_list-
[844] __fnbamd_cfg_get_radius_list_by_group-
[858] __fnbamd_cfg_get_radius_list_by_group-Group 'vpngroup'
[456] fnbamd_rad_get-vfid=5, name='DUO_MFA'
[805] __rad_auth_ctx_insert-Loaded RADIUS server 'DUO_MFA'
[863] __fnbamd_cfg_get_radius_list_by_group-Loaded RADIUS server 'DUO_MFA' for usergroup 'vpngroup' (7)
[818] __rad_auth_ctx_insert_all_usergroup-
[918] fnbamd_cfg_get_radius_list-Total rad servers to try: 1
[936] fnbamd_rad_get_auth_server-
[1172] fnbamd_rad_auth_ctx_init-User ha_relay? 0.
[295] fnbamd_radius_get_next_auth_prot-Next auth prot EAP
[1107] __auth_ctx_svr_push-Added addr 192.168.20.125:1812 from rad 'DUO_MFA'
[930] __fnbamd_rad_get_next_addr-Next available address of rad 'DUO_MFA': 192.168.20.125:1812.
[1125] __auth_ctx_start-Connection starts DUO_MFA:192.168.20.125, addr 192.168.20.125:1812 proto: UDP
[280] __rad_udp_open-Opened radius socket 12, sa_family 2
[945] __rad_conn_start-Socket 12 is created for rad 'DUO_MFA'.
[807] __rad_add_job_timer-
[439] fnbamd_cfg_get_pop3_list-
[417] __fnbamd_cfg_get_pop3_list_by_group-
[422] __fnbamd_cfg_get_pop3_list_by_group-Group 'vpngroup'
[449] fnbamd_cfg_get_pop3_list-Total pop3 servers to try: 0
[434] start_remote_auth-Total 1 server(s) to try
[1900] handle_req-r=4
[828] __rad_rxtx-fd 12, state 1(Auth)
[830] __rad_rxtx-Stop rad conn timer.
[837] __rad_rxtx-
[605] fnbamd_rad_make_access_request-
[328] __create_access_request-Compose RADIUS request
fnbamd_dbg_hex_pnt[49] EAP msg from client (19)-02 FC 00 13 01 6D 61 72 63 6F 2E 72 65 73 63 61 6C 6C 69
[588] __create_access_request-Created RADIUS Access-Request. Len: 171.
[1171] fnbamd_socket_update_interface-vfid is 5, intf mode is 0, intf name is , server address is 192.168.20.125:1812, source address is null, protocol number is 17, oif id is 0
[353] __rad_udp_send-oif=0, intf_sel.mode=0, intf_sel.name=
[868] __rad_rxtx-Sent radius req to server 'DUO_MFA': fd=12, IP=192.168.20.125(192.168.20.125:1812) code=1 id=56 len=171
[877] __rad_rxtx-Start rad conn timer.
[828] __rad_rxtx-fd 12, state 1(Auth)
[830] __rad_rxtx-Stop rad conn timer.
[880] __rad_rxtx-
[431] __rad_udp_recv-Recved 44 bytes. Buf sz 8192
[1125] __rad_chk_resp_authenticator-The Message Authenticator validation is optional now
[1148] __rad_chk_resp_authenticator-ret=0
[1216] fnbamd_rad_validate_pkt-RADIUS resp code 3
[1028] __rad_error-Ret 1, st = 1.
[295] fnbamd_radius_get_next_auth_prot-Next auth prot ??
[1077] __rad_error-
[306] __rad_udp_close-closed.
[964] __rad_conn_stop-Stop rad conn timer.
[1286] fnbamd_rad_process-Result from radius svr 'DUO_MFA' is 1, req 64459123495318
fnbamd_dbg_hex_pnt[49] EAP msg from server (4)-04 FC 00 04
[1485] fnbamd_rad_process-Challenged: 0, FTK_Challenge: 0, CHG_PWD: 0, Invaid_Digest: 0, State_Len: 0
[887] update_auth_token_session-mfa_mandatory is off, only success results may require 2fa
[239] fnbamd_comm_send_result-Sending result 1 (nid 0) for req 64459123495318, len=6692
[600] destroy_auth_session-delete session 64459123495318
ike V=Vpn:5:Split:26409 EAP 64459123495318 result FNBAM_DENIED
ike V=Vpn:5:Split: EAP failed for user "john.week"
[1347] fnbamd_rads_destroy-
ike V=Vpn:5:Split:26409: responder preparing EAP pass through message
ike 5:Split:26409: enc 0000000804FC00040706050403020107
[1219] fnbamd_rad_auth_ctx_uninit-
ike 5:Split:26409: out A679FF7C2CAB8ABBC199D61F0BBD96812E20232000000002000000503000003481D14D5680504BD4F679F308905AB926D38B40CBCF7B0F2FA216BBF4F0A2F0E75967BB5918970F031E6B200D94510897
[969] __rad_stop-
ike V=Vpn:5:Split:26409: sent IKE msg (AUTH_RESPONSE): 105.94.83.72:4500->25.36.47.58:4500, len=80, vrf=0, id=a679ff7c2cab8abb/c199d61f0bbd9681:00000002, oif=150
ike V=Vpn:5:Split: connection expiring due to EAP failure
[964] __rad_conn_stop-Stop rad conn timer.
ike V=Vpn:5:Split: going to be deleted
[784] __rad_del_job_timer-
[364] fnbamd_rad_free-Freeing DUO_MFA, ref:2
[41] __rad_server_free-Freeing 192.168.20.125, ref:2
[519] fnbamd_rad_auth_ctx_free-
[1350] fnbamd_rads_destroy-
[1865] fnbamd_ldaps_destroy-
[1041] fnbamd_tacs_destroy-
[902] fnbamd_pop3s_destroy-
[1070] fnbamd_ext_idps_destroy-
[2366] handle_req-Rcvd abort req for 64459123495318
[2381] handle_req-Can't abort, no active req 64459123495318

kaman · ‎09-18-2025

Hi Maerre,

You can try changing group matching to 'Any' under User & Authentication -> User Groups and test again.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Error-EAP-failure-with-IPsec-Dial-Up-VPN-u...

If you have found a solution, please like and accept it to make it easily accessible to others.

Regards,
Aman

Maerre · ‎09-18-2025

Hi @kaman

it still is on "any"

kaman · ‎09-18-2025

Hi Maerre,

From the attached logs, I can see you are getting the message '[1216] fnbamd_rad_validate_pkt-RADIUS resp code 3'

Please refer to the documents below for more information:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Possible-reason-for-RADIUS-Reject-co...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-RADIUS-error-codes/ta-p/270026

Regards!

EAP connection failure (FNBAM_DENIED) - Ipsec Dialup Vpn with DUO - Phase1 failure

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website