Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Maerre
Contributor II

Created on ‎10-30-2025 04:15 AM Edited on ‎10-30-2025 04:24 AM

FortiClient IKEv2 VPN + RADIUS: "WRONG CREDENTIAL EAP FAILED CONNECTING TO x.x.x.x"

Hi everyone,

I’ve deployed an IPsec dial-up VPN to allow users to connect via FortiClient.
The VPN uses IKEv2 and a RADIUS server, and all users belong to the emergency group.

After configuring FortiClient with all the correct phase 1 and phase 2 parameters, I consistently get the following error when trying to connect:

"WRONG CREDENTIAL EAP FAILED CONNECTING TO 8.x.x.x"

Below I’ve included the phase 1 and 2 configuration, along with the log captured from the FortiGate.
The log clearly shows that the user is correctly identified, as well as their group membership.
However, shortly before the error, this message appears:

ike V=Vpn:1:Emergency:1804 EAP 14757603831873 result FNBAM_DENIED
ike V=Vpn:1:Emergency: EAP failed for user "jjonh"

Phase1 configuration:


edit "Emergency"
set type dynamic
set interface "WAN"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set ipv4-dns-server1 8.8.4.4
set proposal aes256-sha256
set dpd on-idle
set dhgrp 14
set eap enable
set eap-identity send-request
set authusrgrp "Emergency"
set assign-ip-from usrgrp
set ipv4-split-include "full_access"
set psksecret ENC +ncgTFp7tzN4WhjUVG5W54zeijkLlDsfnTO1hA7jhWDQaWgcDnJCEIMI9PFHyW7t/tCDwZCHLroJLDqG
set dpd-retrycount 5

 

Phase2 configuration:

edit "Emergency"

set phase1name "Emergency"
set proposal aes256-sha256
set dhgrp 14
next


Connection log attempt:

 

FIREWALL (Vpn) # ike V=Vpn:1: comes 55.80.5.2:500->140.3.33.6:500,ifindex=55,vrf=0,len=529....
ike V=Vpn:1: IKEv2 exchange=SA_INIT id=995754044bbdecd2/0000000000000000 len=529
ike 1: in 995754044BBDECD200000000000000002120220800000000000002112200005C0200002C010100040300000C0100000C800E01000300000802000005030000080300000C00000
0080400000E0000002C020100040300000C0100000C800E01000300000802000005030000080300000C000000080400000E28000108000E00002149B1B62223614E8EE77B04AF4A45CDF0B3
E193D30C8A1F1D445F0E97BEBDCA013F5439D9225DA5FEF1CA2AAE03855AF08081BFFFB53496880C39D1CC55DF8181BBB6BE8F40CCC85C4FC44538D64411D0F539D699EFE4C1EC2E3C5D3F5
E0801E8C9D1124210EA774E26B135C5C2C3DCA9A7A9C436B695CDC039431A6F1055CE0151F8CD409701BDF52FD9243C4151C2F00B3D71299B93B05443F38A030941E3DB43C1699834287995
D01843DBB8914FD398E5C4EAE93A529250944BFBC9BD8D40DDE3B3897238F08302915D84C7852F5E4ED324181D974601B59D2B1A0E3F10F44ADA3C155E6687AD969C7E3B2568A16AC5A365A
3C2B3258E42939720F464342B000014C71A80C26C966BEF9A84D29370EDAEEE2B0000144C53427B6D465D1B337BB755A37A7FEF2B000014B4F01CA951E9DA8D0BAFBBD34AD3044E29000014
C1DC4350476B98A429B91781914CA43E2900001C000040042367FD5FEE278AE06FD2A2D37F8C45C1121CDD492900001C000040059B03208CA1DA3B4E850F085152ADAA7CFA7F34280000000
90000F05000
ike V=Vpn:1:995754044bbdecd2/0000000000000000:1804: responder received SA_INIT msg
ike V=Vpn:1:995754044bbdecd2/0000000000000000:1804: VID forticlient connect license 4C53427B6D465D1B337BB755A37A7FEF
ike V=Vpn:1:995754044bbdecd2/0000000000000000:1804: VID Fortinet Endpoint Control B4F01CA951E9DA8D0BAFBBD34AD3044E
ike V=Vpn:1:995754044bbdecd2/0000000000000000:1804: VID Forticlient EAP Extension C1DC4350476B98A429B91781914CA43E
ike V=Vpn:1:995754044bbdecd2/0000000000000000:1804: received notify type NAT_DETECTION_SOURCE_IP
ike V=Vpn:1:995754044bbdecd2/0000000000000000:1804: received notify type NAT_DETECTION_DESTINATION_IP
ike V=Vpn:1:995754044bbdecd2/0000000000000000:1804: received notify type VPN_NETWORK_ID
ike V=Vpn:1:995754044bbdecd2/0000000000000000:1804: NETWORK ID : 0
ike V=Vpn:1:995754044bbdecd2/0000000000000000:1804: incoming proposal:
ike V=Vpn:1:995754044bbdecd2/0000000000000000:1804: proposal id = 1:
ike V=Vpn:1:995754044bbdecd2/0000000000000000:1804: protocol = IKEv2:
ike V=Vpn:1:995754044bbdecd2/0000000000000000:1804: encapsulation = IKEv2/none
ike V=Vpn:1:995754044bbdecd2/0000000000000000:1804: type=ENCR, val=AES_CBC (key_len = 256)
ike V=Vpn:1:995754044bbdecd2/0000000000000000:1804: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike V=Vpn:1:995754044bbdecd2/0000000000000000:1804: type=PRF, val=PRF_HMAC_SHA2_256
ike V=Vpn:1:995754044bbdecd2/0000000000000000:1804: type=DH_GROUP, val=MODP2048.
ike V=Vpn:1:995754044bbdecd2/0000000000000000:1804: proposal id = 2:
ike V=Vpn:1:995754044bbdecd2/0000000000000000:1804: protocol = IKEv2:
ike V=Vpn:1:995754044bbdecd2/0000000000000000:1804: encapsulation = IKEv2/none
ike V=Vpn:1:995754044bbdecd2/0000000000000000:1804: type=ENCR, val=AES_CBC (key_len = 256)
ike V=Vpn:1:995754044bbdecd2/0000000000000000:1804: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike V=Vpn:1:995754044bbdecd2/0000000000000000:1804: type=PRF, val=PRF_HMAC_SHA2_256
ike V=Vpn:1:995754044bbdecd2/0000000000000000:1804: type=DH_GROUP, val=MODP2048.
ike V=Vpn:1: cache rebuild start
ike V=Vpn:1:Emergency: cached as dynamic
ike V=Vpn:1: cache rebuild done
ike V=Vpn:1:995754044bbdecd2/0000000000000000:1804: matched proposal id 1
ike V=Vpn:1:995754044bbdecd2/0000000000000000:1804: proposal id = 1:
ike V=Vpn:1:995754044bbdecd2/0000000000000000:1804: protocol = IKEv2:
ike V=Vpn:1:995754044bbdecd2/0000000000000000:1804: encapsulation = IKEv2/none
ike V=Vpn:1:995754044bbdecd2/0000000000000000:1804: type=ENCR, val=AES_CBC (key_len = 256)
ike V=Vpn:1:995754044bbdecd2/0000000000000000:1804: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike V=Vpn:1:995754044bbdecd2/0000000000000000:1804: type=PRF, val=PRF_HMAC_SHA2_256
ike V=Vpn:1:995754044bbdecd2/0000000000000000:1804: type=DH_GROUP, val=MODP2048.
ike V=Vpn:1:995754044bbdecd2/0000000000000000:1804: lifetime=86400
ike V=Vpn:1:995754044bbdecd2/0000000000000000:1804: SA proposal chosen, matched gateway Emergency
ike V=Vpn:1:Emergency:Emergency: created connection: 0x55fc39d077e0 55 140.3.33.6->55.80.5.2:500.
ike V=Vpn:1:Emergency: HA start as master
ike V=Vpn:1:Emergency:1804: processing notify type NAT_DETECTION_SOURCE_IP
ike V=Vpn:1:Emergency:1804: processing NAT-D payload
ike V=Vpn:1:Emergency:1804: NAT detected: PEER
ike V=Vpn:1:Emergency:1804: process NAT-D
ike V=Vpn:1:Emergency:1804: processing notify type NAT_DETECTION_DESTINATION_IP
ike V=Vpn:1:Emergency:1804: processing NAT-D payload
ike V=Vpn:1:Emergency:1804: NAT detected: PEER
ike V=Vpn:1:Emergency:1804: process NAT-D
ike V=Vpn:1:Emergency:1804: FEC vendor ID received FEC but IP not set
ike 1:Emergency:1804: FCT EAP 2FA extension vendor ID received
ike V=Vpn:1:Emergency:1804: responder preparing SA_INIT msg
ike V=Vpn:1:Emergency:1804: generate DH public value request queued
ike V=Vpn:1:Emergency:1804: responder preparing SA_INIT msg
ike V=Vpn:1:Emergency:1804: compute DH shared secret request queued
ike V=Vpn:1:Emergency:1804: responder preparing SA_INIT msg
ike V=Vpn:1:Emergency:1804: create NAT-D hash local 140.3.33.6/500 remote 55.80.5.2/500
ike 1:Emergency:1804: out 995754044BBDECD2EF8197B85676E6972120222000000000000001A0220000300000002C010100040300000C0100000C800E0100030000080200000503000
0080300000C000000080400000E28000108000E0000079D55424A9F5FF256FF192AF555581740791AAA09E325CF56FAB1F6CC1D5482198FBE4B49467A112CB5479964D45DE882E82251AF13
2586929B711CB4B3B451F90679468C31DAD4302AC561F1F64E7A12EFE2B9596DBB394E28EC58D21996F7A216A22346F6F239C71F1081B7D1691F73B1EAF7D3E1DBBE5891C72C8F7F51456FA
8C0BFC20234C60AC95EA2562FC01C13984CBAAAB94613BDAE69A5490648A8D5E12A48BC4836F14AE4BF7A62539ABE89214BB5BD41D2E391EF203F17EB95598EF1450657E95718110F9A5B7B
01554A02356DE6829F2B29ACBCEECF8663EC5220B3E80E1B7D36E116C4CB711C52B4963533C98457F6C1237258160611D2FE5329000014D989D6FC1F5A283057B44B6B84AEB0482900001C0
0004004B1B6B2C3E4914092C0CE44E6AD1397D86F3611DB0000001C00004005C094F2597D71B7F20B8A9EE2388CC2049667791F
ike V=Vpn:1:Emergency:1804: sent IKE msg (SA_INIT_RESPONSE): 140.3.33.6:500->55.80.5.2:500, len=416, vrf=0, id=995754044bbdecd2/ef8197b85676e697,
oif=55
ike 1:Emergency:1804: IKE SA 995754044bbdecd2/ef8197b85676e697 SK_ei 32:B9B8DDD9E0D32BCA3B9C5F5449B78494DC49B7AB6595605F98F711AC551CF278
ike 1:Emergency:1804: IKE SA 995754044bbdecd2/ef8197b85676e697 SK_er 32:2F0E6AFC38BB136C723F899E48E531D8E1FB50BA627480ADCEEFE9A9201F54BF
ike 1:Emergency:1804: IKE SA 995754044bbdecd2/ef8197b85676e697 SK_ai 32:0F47CA2B801C5079C471FA99E713EE7EF6E58C792631D9090E05B2B0F7B4CC34
ike 1:Emergency:1804: IKE SA 995754044bbdecd2/ef8197b85676e697 SK_ar 32:37B4E9EDA9400EC61687F083394DE72CC26E4DC93C9A24EBAB60DE6E35E57413
ike V=Vpn:1: comes 55.80.5.2:4500->140.3.33.6:4500,ifindex=55,vrf=0,len=548....
ike V=Vpn:1: IKEv2 exchange=AUTH id=995754044bbdecd2/ef8197b85676e697:00000001 len=544
ike 1: in 995754044BBDECD2EF8197B85676E6972E20230800000001000002202300020498AFD708FAAAB1BBC6403011D886D68E391AE0B68FB5B660AE3D2E4AF129911132C9C81EE2FC7
D714B0553B64450DF3C4B84229CC3F6758F57DBA74ECF7C94299208DA33291F4EDD93511E093256BA931B99CB59EBAEE5E15C29DA016F66D8CB36ECCA4434B56037A8182314DB82F26CCD3F
C24D31812471F9CF421FEE600F1011EE5576690A27E1364157DC6142A40134EA5D861CB078CED7D00E30575272601B8D56A567E081E64D30CFBF337049E69EAC41A9827F90B62923B751F3F
415BFA15A3BE497B22D8D3B6899F56BB0EC7591DE58F7F7709A64203253FAB0FB344D03DEBBEBCE5BA28D54244599955085C9D83B324AC1C702F934E03451991DD0550A720846A4DD2D632E
BE873934F3A2A9DBC209DB81AE9393D376EF416759ADB770512A687761DA5111D6C18A7C52EFE62AAB6E7F07C8A285E680C33BF7273FFAAEE11AC707298399C4EA35C92F093A64A2BA01305
91F54484E243BBE3F37AD8FD61E555F81F65D942B81E722C28B9F104335598D7E184F58A1178ED511DE4A7380956E85723BDC41CB09931801729EB8D7ACA802687B969E357673349036E0C6
31CCF7E6D0383DBCCD1838A36760E360565E7EEEB8F6975D8D6242D14F33F9AE0E49239D804B575C8ADA71DE6E0500AE81CD1281DD57EA3A6C5DE42F443B713721B114B044D49DF10FBF876
7CD5ECF80FA80A68BC3E1CED595D01B6C26C4B8C4
ike V=Vpn:1:Emergency: HA state master(2)
ike 1:Emergency:1804: dec 995754044BBDECD2EF8197B85676E6972E20230800000001000001F9230000042900000C01000000C0A801C929000008000040002F0000E50000F10056455
23D310A4643545645523D372E342E332E313739300A5549443D41353637304134363939433834354641414641363845413937324141413643380A49503D3139322E3136382E312E3230310A
4D41433D30302D30632D32392D35372D63372D63343B0A484F53543D4445534B544F502D493834483653380A555345523D6D6D6F6E74726173690A4F535645523D4D6963726F736F6674205
7696E646F77732031312050726F66657373696F6E616C2045646974696F6E2C2036342D62697420286275696C64203236323030290A5245475F5354415455533D300A002100005C01000000
000700104643543830303030383730343436313700010000000200000003000000040000000D00000019000000080000000F0000000A0000000B000070010000540A0000540B00007000000
070060000001900002C0000540200002801030403AE0FCEF00300000C0100000C800E0100030000080300000C00000008050000000000002802030403AE0FCEF00300000C0100000C800E01
00030000080300000C00000008050000002D00001801000000070000100000FFFF00000000FFFFFFFF0000001801000000070000100000FFFF00000000FFFFFFFF
ike V=Vpn:1:Emergency:1804: responder received AUTH msg
ike V=Vpn:1:Emergency:1804: processing notify type INITIAL_CONTACT
ike V=Vpn:1:Emergency:1804: processing notify type FORTICLIENT_CONNECT
ike V=Vpn:1:Emergency:1804: received FCT data len = 221, data = 'VER=1
FCTVER=7.4.3.1790
UID=A5670A4699C845FAAFA68EA972AAA6C8
IP=192.168.1.201
MAC=02-5c-77-59-gh-j9;
HOST=DESKTOP-TEST
USER=jjonh
OSVER=Microsoft Windows 11 Professional Edition, 64-bit (build 26200)
REG_STATUS=0
'
ike V=Vpn:1:Emergency:1804: received FCT-UID : A5670A4699C845FAAFA68EA972AAA6C8
ike V=Vpn:1:Emergency:1804: received EMS SN :
ike V=Vpn:1:Emergency:1804: received EMS tenant ID :
ike V=Vpn:1:Emergency:1804: peer identifier IPV4_ADDR 192.168.1.201
ike V=Vpn:1:Emergency:1804: re-validate gw ID
ike V=Vpn:1:Emergency:1804: gw validation OK
ike V=Vpn:1:Emergency:1804: responder preparing EAP identity request
ike 1:Emergency:1804: enc 2700000C010000005833E9043000002802000000A3723D594A7A508175674C877BEEB833DA46B346A616E2A38337462A660B47A6000000090179000501020
102
ike V=Vpn:1:Emergency:1804: remote port change 500 -> 4500
ike 1:Emergency:1804: out 995754044BBDECD2EF8197B85676E6972E202320000000010000008024000064204C0D333B6F632298ED341077739518A1CCC5682DA50EDEA875848275AA6
73C9D6BDE280697ED2F13B37DC974F1CC614E89D141F55065B18F20A3DEA9B25C927EF95971C2240BF802801FDE585EDC871AC44AEAA48DE6F4885D6FC752CCD8C1
ike V=Vpn:1:Emergency:1804: sent IKE msg (AUTH_RESPONSE): 140.3.33.6:4500->55.80.5.2:4500, len=128, vrf=0, id=995754044bbdecd2/ef8197b85676e697:00
000001, oif=55
ike V=Vpn:1: comes 55.80.5.2:4500->140.3.33.6:4500,ifindex=55,vrf=0,len=100....
ike V=Vpn:1: IKEv2 exchange=AUTH id=995754044bbdecd2/ef8197b85676e697:00000002 len=96
ike 1: in 995754044BBDECD2EF8197B85676E6972E202308000000020000006030000044C36385F1B522F6A212477D480A47982C1546EB247F218500801EEC80584F8B4F7DF461956E865
DC8E216217FBD62AB25ECED9E537F7E6E47B68F6737668420C9
ike V=Vpn:1:Emergency: HA state master(2)
ike 1:Emergency:1804: dec 995754044BBDECD2EF8197B85676E6972E202308000000020000003230000004000000120279000E016D6D6F6E7472617369
ike V=Vpn:1:Emergency:1804: responder received EAP msg
ike V=Vpn:1:Emergency:1804: send EAP message to FNBAM
ike V=Vpn:1:Emergency:1804: initiating EAP authentication
ike V=Vpn:1:Emergency: EAP user "jjonh"
ike V=Vpn:1:Emergency: auth group Emergency
ike V=Vpn:1:Emergency: EAP 14757603831873 pending
[1759] handle_req-Rcvd auth req 14757603831873 for jjonh in Emergency opt=00000020 prot=7 svc=9
[333] __compose_group_list_from_req-Group 'Emergency', type 1
[508] create_auth_session-Session created for req id 14757603831873
[590] fnbamd_cfg_get_tac_plus_list-
[545] __fnbamd_cfg_get_tac_plus_list_by_group-
[557] __fnbamd_cfg_get_tac_plus_list_by_group-Group 'Emergency'
[606] fnbamd_cfg_get_tac_plus_list-Total tac+ servers to try: 0
[840] fnbamd_cfg_get_ldap_list-
[756] __fnbamd_cfg_get_ldap_list_by_group-
[856] fnbamd_cfg_get_ldap_list-Total LDAP servers to try: 0
[416] ldap_start-Didn't find ldap servers
[316] radius_start-eap_local=0
[901] fnbamd_cfg_get_radius_list-
[849] __fnbamd_cfg_get_radius_list_by_group-
[863] __fnbamd_cfg_get_radius_list_by_group-Group 'Emergency'
[456] fnbamd_rad_get-vfid=1, name='Emergency_Rad'
[810] __rad_auth_ctx_insert-Loaded RADIUS server 'Emergency_Rad'
[868] __fnbamd_cfg_get_radius_list_by_group-Loaded RADIUS server 'Emergency_Rad' for usergroup 'Emergency' (4)
[823] __rad_auth_ctx_insert_all_usergroup-
[923] fnbamd_cfg_get_radius_list-Total rad servers to try: 1
[1030] fnbamd_cfg_radius_clear_reachability-Clearing RAD server reachability Emergency_Rad:10.200.144.19
[941] fnbamd_rad_get_auth_server-
[1175] fnbamd_rad_auth_ctx_init-User ha_relay? 0.
[301] fnbamd_radius_get_next_auth_prot-Next auth prot EAP
[1110] __auth_ctx_svr_push-Added addr 10.200.144.19:1812 from rad 'Emergency_Rad'
[933] __fnbamd_rad_get_next_addr-Next available address of rad 'Emergency_Rad': 10.200.144.19:1812.
[1128] __auth_ctx_start-Connection starts Emergency_Rad:10.200.144.19, addr 10.200.144.19:1812 proto: UDP
[281] __rad_udp_open-Opened radius socket 10, sa_family 2
[948] __rad_conn_start-Socket 10 is created for rad 'Emergency_Rad'.
[810] __rad_add_job_timer-
[439] fnbamd_cfg_get_pop3_list-
[417] __fnbamd_cfg_get_pop3_list_by_group-
[422] __fnbamd_cfg_get_pop3_list_by_group-Group 'Emergency'
[449] fnbamd_cfg_get_pop3_list-Total pop3 servers to try: 0
[434] start_remote_auth-Total 1 server(s) to try
[1902] handle_req-r=4
[831] __rad_rxtx-fd 10, state 1(Auth)
[833] __rad_rxtx-Stop rad conn timer.
[840] __rad_rxtx-
[612] fnbamd_rad_make_access_request-
[334] __create_access_request-Compose RADIUS request
fnbamd_dbg_hex_pnt[49] EAP msg from client (14)-02 79 00 0E 01 6D 6D 6F 6E 74 72 61 73 69
[595] __create_access_request-Created RADIUS Access-Request. Len: 161.
[1175] fnbamd_socket_update_interface-vfid is 1, intf mode is 0, intf name is , server address is 10.200.144.19:1812, source address is null, protocol
number is 17, oif id is 0
[354] __rad_udp_send-oif=0, intf_sel.mode=0, intf_sel.name=
[871] __rad_rxtx-Sent radius req to server 'Emergency_Rad': fd=10, IP=10.200.144.19(10.200.144.19:1812) code=1 id=14 len=161
[880] __rad_rxtx-Start rad conn timer.
[831] __rad_rxtx-fd 10, state 1(Auth)
[833] __rad_rxtx-Stop rad conn timer.
[883] __rad_rxtx-
[432] __rad_udp_recv-Recved 80 bytes. Buf sz 8192
[1133] __rad_chk_resp_authenticator-The Message Authenticator validation is optional now
[1156] __rad_chk_resp_authenticator-ret=0
[1231] fnbamd_rad_validate_pkt-RADIUS resp code 11
[915] __rad_rxtx-
[1301] fnbamd_rad_process-Result from radius svr 'Emergency_Rad' is 2, req 14757603831873
fnbamd_dbg_hex_pnt[49] EAP msg from server (22)-01 7A 00 16 04 10 57 FD 1A 21 2F D4 6B DB 45 AE E3 4D 8B 01 29 FF
[1503] fnbamd_rad_process-Challenged: 1, FTK_Challenge: 0, CHG_PWD: 0, Invaid_Digest: 0, No_Message_Authenticator_Attr: 0, State_Len: 16
[239] fnbamd_comm_send_result-Sending result 2 (nid 0) for req 14757603831873, len=6710
[1254] fnbamd_rad_pause-Pausing Emergency_Rad:10.200.144.19.
ike V=Vpn:1:Emergency:1804 EAP 14757603831873 result FNBAM_CHALLENGED
ike V=Vpn:1:Emergency: EAP challenged for user "jjonh"
[1258] fnbamd_rad_pause-Stop rad conn timer.
ike V=Vpn:1:Emergency:1804: responder preparing EAP pass through message
ike 1:Emergency:1804: enc 0000001A017A0016041057FD1A212FD46BDB45AEE34D8B0129FF050403020105
[787] __rad_del_job_timer-
ike 1:Emergency:1804: out 995754044BBDECD2EF8197B85676E6972E202320000000020000006030000044EF96584D012962A605D56D2E3CD73A317B7F738A3BE904393E9B9BB5E6CF8
F10971AF45271EA97CD8FBA42452084AAE2FB8DA181F41119A2EB2DC97750DEB0B4
ike V=Vpn:1:Emergency:1804: sent IKE msg (AUTH_RESPONSE): 140.3.33.6:4500->55.80.5.2:4500, len=96, vrf=0, id=995754044bbdecd2/ef8197b85676e697:000
00002, oif=55
ike V=Vpn:1: comes 55.80.5.2:4500->140.3.33.6:4500,ifindex=55,vrf=0,len=84....
ike V=Vpn:1: IKEv2 exchange=AUTH id=995754044bbdecd2/ef8197b85676e697:00000003 len=80
ike 1: in 995754044BBDECD2EF8197B85676E6972E202308000000030000005030000034A0C89BD64CCD58D8EF92482C94C49E4DB856C4E1E447DBC841AA7F02376AFDC7D591F131D5FB0
88A728F79D1AC9CA520
ike V=Vpn:1:Emergency: HA state master(2)
ike 1:Emergency:1804: dec 995754044BBDECD2EF8197B85676E6972E202308000000030000002B300000040000000B027A0007031A06
ike V=Vpn:1:Emergency:1804: responder received EAP msg
ike V=Vpn:1:Emergency:1804: send EAP message to FNBAM
ike V=Vpn:1:Emergency: EAP 14757603831873 pending
[2338] handle_req-Rcvd chal rsp for req 14757603831873
[1278] unfreeze_auth_session-
[1056] fnbamd_auth_send_chal_rsp-svr_type=2, idx=0
[1868] fnbamd_ldaps_destroy-
[1042] fnbamd_tacs_destroy-
[1333] fnbamd_rads_resume-
[1295] fnbamd_rad_resume-Emergency_Rad:10.200.144.19, addr 10.200.144.19
[1318] fnbamd_rad_resume-state 2.
[810] __rad_add_job_timer-
[831] __rad_rxtx-fd 10, state 2(Challenged)
[833] __rad_rxtx-Stop rad conn timer.
[840] __rad_rxtx-
[684] fnbamd_rad_make_chal_request-
[334] __create_access_request-Compose RADIUS request
fnbamd_dbg_hex_pnt[49] EAP msg from client (7)-02 7A 00 07 03 1A 06
[595] __create_access_request-Created RADIUS Access-Request. Len: 172.
[1175] fnbamd_socket_update_interface-vfid is 1, intf mode is 0, intf name is , server address is 10.200.144.19:1812, source address is null, protocol
number is 17, oif id is 0
[354] __rad_udp_send-oif=0, intf_sel.mode=0, intf_sel.name=
[871] __rad_rxtx-Sent radius req to server 'Emergency_Rad': fd=10, IP=10.200.144.19(10.200.144.19:1812) code=1 id=15 len=172
[880] __rad_rxtx-Start rad conn timer.
[831] __rad_rxtx-fd 10, state 2(Challenged)
[833] __rad_rxtx-Stop rad conn timer.
[883] __rad_rxtx-
[432] __rad_udp_recv-Recved 124 bytes. Buf sz 8192
[1133] __rad_chk_resp_authenticator-The Message Authenticator validation is optional now
[1156] __rad_chk_resp_authenticator-ret=0
[1231] fnbamd_rad_validate_pkt-RADIUS resp code 11
[915] __rad_rxtx-
[1301] fnbamd_rad_process-Result from radius svr 'Emergency_Rad' is 2, req 14757603831873
fnbamd_dbg_hex_pnt[49] EAP msg from server (42)-01 7B 00 2A 1A 01 7B 00 25 10 48 A0 84 91 3D AE D8 B7 D5 9F 42 A2 14 22 4A 95 66 72 65 65 72 61 64 69 7
5 73 2D 33 2E 32 2E 37
[1503] fnbamd_rad_process-Challenged: 1, FTK_Challenge: 0, CHG_PWD: 0, Invaid_Digest: 0, No_Message_Authenticator_Attr: 0, State_Len: 16
[239] fnbamd_comm_send_result-Sending result 2 (nid 0) for req 14757603831873, len=6730
ike V=Vpn:1:Emergency:1804 EAP 14757603831873 result FNBAM_CHALLENGED
ike V=Vpn:1:Emergency: EAP challenged for user "jjonh"
ike V=Vpn:1:Emergency:1804: responder preparing EAP pass through message
[1258] fnbamd_rad_pause-Stop rad conn timer.
[787] __rad_del_job_timer-
[1261] freeze_auth_session-
ike 1:Emergency:1804: enc 0000002E017B002A1A017B00251048A084913DAED8B7D59F42A214224A95667265657261646975732D332E322E370101
ike 1:Emergency:1804: out 995754044BBDECD2EF8197B85676E6972E202320000000030000007030000054BD48CFDEB800AEA5E2D5A62BCFFCBD3AF854BD47E49FD830C13343695EC60
ECEEB7E43D2A8C51B6CE9F3CD2B060F01C602D92B8B3B60525B21CCE1469BBA8BC5F771CC1310CC6803BD1A26E69C66E6E1
ike V=Vpn:1:Emergency:1804: sent IKE msg (AUTH_RESPONSE): 140.3.33.6:4500->55.80.5.2:4500, len=112, vrf=0, id=995754044bbdecd2/ef8197b85676e697:00
000003, oif=55
ike V=Vpn:1: comes 55.80.5.2:4500->140.3.33.6:4500,ifindex=55,vrf=0,len=148....
ike V=Vpn:1: IKEv2 exchange=AUTH id=995754044bbdecd2/ef8197b85676e697:00000004 len=144
ike 1: in 995754044BBDECD2EF8197B85676E6972E202308000000040000009030000074C6CC46B20F3A9C07D6DE18F5C2F4447CE43A347FCC00E2632A515B8A2536902FF78B378D08492
4DE1011898C3297F06C744D85FDE784B1E0B93E385BB4CCE5875B5A055F623E169EB6B185856C0A0A2CD020A298B08A04D5B985185DC85CE3F1C1BED9004A6F9E17E268911A4EE4957D
ike V=Vpn:1:Emergency: HA state master(2)
ike 1:Emergency:1804: dec 995754044BBDECD2EF8197B85676E6972E20230800000004000000683000000400000048027B00441A027B003F31DBDBBF5DD9CEBD771D514AF1159427880
000000000000000697D7889DE3E712FCC01DF72E4D59FF08DD7FFE6E54E7BF6006D6D6F6E7472617369
ike V=Vpn:1:Emergency:1804: responder received EAP msg
ike V=Vpn:1:Emergency:1804: send EAP message to FNBAM
ike V=Vpn:1:Emergency: EAP 14757603831873 pending
[2338] handle_req-Rcvd chal rsp for req 14757603831873
[1278] unfreeze_auth_session-
[1056] fnbamd_auth_send_chal_rsp-svr_type=2, idx=0
[1868] fnbamd_ldaps_destroy-
[1042] fnbamd_tacs_destroy-
[1333] fnbamd_rads_resume-
[1295] fnbamd_rad_resume-Emergency_Rad:10.200.144.19, addr 10.200.144.19
[1318] fnbamd_rad_resume-state 2.
[810] __rad_add_job_timer-
[831] __rad_rxtx-fd 10, state 2(Challenged)
[833] __rad_rxtx-Stop rad conn timer.
[840] __rad_rxtx-
[684] fnbamd_rad_make_chal_request-
[334] __create_access_request-Compose RADIUS request
fnbamd_dbg_hex_pnt[49] EAP msg from client (68)-02 7B 00 44 1A 02 7B 00 3F 31 DB DB BF 5D D9 CE BD 77 1D 51 4A F1 15 94 27 88 00 00 00 00 00 00 00 00 6
9 7D 78 89 DE 3E 71 2F CC 01 DF 72 E4 D5 9F F0 8D D7 FF E6 E5 4E 7B F6 00 6D 6D 6F 6E 74 72 61 73 69
[595] __create_access_request-Created RADIUS Access-Request. Len: 233.
[1175] fnbamd_socket_update_interface-vfid is 1, intf mode is 0, intf name is , server address is 10.200.144.19:1812, source address is null, protocol
number is 17, oif id is 0
[354] __rad_udp_send-oif=0, intf_sel.mode=0, intf_sel.name=
[871] __rad_rxtx-Sent radius req to server 'Emergency_Rad': fd=10, IP=10.200.144.19(10.200.144.19:1812) code=1 id=16 len=233
[880] __rad_rxtx-Start rad conn timer.
[831] __rad_rxtx-fd 10, state 2(Challenged)
[833] __rad_rxtx-Stop rad conn timer.
[883] __rad_rxtx-
[432] __rad_udp_recv-Recved 127 bytes. Buf sz 8192
[1133] __rad_chk_resp_authenticator-The Message Authenticator validation is optional now
[1156] __rad_chk_resp_authenticator-ret=0
[1231] fnbamd_rad_validate_pkt-RADIUS resp code 3
[1031] __rad_error-Ret 1, st = 2.
[301] fnbamd_radius_get_next_auth_prot-Next auth prot ??
[1080] __rad_error-
[307] __rad_udp_close-closed.
[967] __rad_conn_stop-Stop rad conn timer.
[1301] fnbamd_rad_process-Result from radius svr 'Emergency_Rad' is 1, req 14757603831873
fnbamd_dbg_hex_pnt[49] EAP msg from server (4)-04 7B 00 04
[1503] fnbamd_rad_process-Challenged: 0, FTK_Challenge: 0, CHG_PWD: 0, Invaid_Digest: 0, No_Message_Authenticator_Attr: 0, State_Len: 0
[887] update_auth_token_session-mfa_mandatory is off, only success results may require 2fa
[239] fnbamd_comm_send_result-Sending result 1 (nid 0) for req 14757603831873, len=6692
[600] destroy_auth_session-delete session 14757603831873
ike V=Vpn:1:Emergency:1804 EAP 14757603831873 result FNBAM_DENIED
ike V=Vpn:1:Emergency: EAP failed for user "jjonh"
[972] __rad_stop-
[967] __rad_conn_stop-Stop rad conn timer.
ike V=Vpn:1:Emergency:1804: responder preparing EAP pass through message
[787] __rad_del_job_timer-
ike 1:Emergency:1804: enc 00000008047B00040706050403020107
[1350] fnbamd_rads_destroy-
[516] fnbamd_rad_auth_ctx_free-Freeing 'Emergency_Rad' ctx
ike 1:Emergency:1804: out 995754044BBDECD2EF8197B85676E6972E20232000000004000000503000003421AA84249D73ED4E5CC6D9AD163247AE30008C42DB422B92380577C35DC1E
323483A01326EE1EC8B7C641908D33AE925
[1222] fnbamd_rad_auth_ctx_uninit-
[972] __rad_stop-
ike V=Vpn:1:Emergency:1804: sent IKE msg (AUTH_RESPONSE): 140.3.33.6:4500->55.80.5.2:4500, len=80, vrf=0, id=995754044bbdecd2/ef8197b85676e697:000
00004, oif=55
ike V=Vpn:1:Emergency: connection expiring due to EAP failure
ike V=Vpn:1:Emergency: going to be deleted
[364] fnbamd_rad_free-Freeing Emergency_Rad, ref:2
[41] __rad_server_free-Freeing 10.200.144.19, ref:2
[519] fnbamd_rad_auth_ctx_free-
[1353] fnbamd_rads_destroy-
[1868] fnbamd_ldaps_destroy-
[1042] fnbamd_tacs_destroy-
[904] fnbamd_pop3s_destroy-
[1072] fnbamd_ext_idps_destroy-
[2368] handle_req-Rcvd abort req for 14757603831873
[2383] handle_req-Can't abort, no active req 14757603831873
ike :shrank heap by 331776 bytes
ike :change cfg 1 interface 0 router 0 certs 0 ha 0
ike :config update start
ike :ike_embryonic_conn_limit = 1000
ike :ikecrypt DH multi-process enabled
ike V=Vpn:1: sync=yes FGCP:enabled role:master, FGSP:disabled id:0 slave-add-routes:disabled
ike V=Vpn:1:Emergency: user IP assignment using group 'Emergency'
ike V=Vpn:1:Emergency: local-addr 140.3.33.6


Another bit: if testing the user credential via fortigate, the result is successful.
Unfortunately, I can’t open a support case with Fortinet since I’m using the free version of FortiClient, and I’m going crazy trying to find a solution.
Has anyone encountered a similar issue or knows how to fix it?
Thanks in advance!

ERROR.jpg

Labels:
225
0 Kudos
8 REPLIES 8
rdumitrescu
Contributor

Created on ‎10-30-2025 05:25 AM

Hi,

did you have a look to this KB: https://community.fortinet.com/t5/FortiGate/Technical-Tip-IKEv2-Dialup-IPsec-tunnel-with-RADIUS-and/... ?

Your RADIUS server supports MS-CHAPv2?

210
Maerre
Contributor II
In response to rdumitrescu

Created on ‎10-30-2025 08:49 AM

Hello,

 

with this radius i have the default option, if changing to ms chap and testing the credential the result fails

 

image.jpg

160
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎10-30-2025 05:58 AM

Hi Maerre

Can you share the related RADIUS logs? I mean from RADIUS server.

AEK
AEK
201
ElwinBERRAR
New Contributor

Created on ‎10-30-2025 06:22 AM

Hi

From the debug output, the FortiGate correctly starts the EAP process and reaches the RADIUS server, but the exchange stops right after the challenge phase with FNBAM_DENIED. This usually means the RADIUS server doesn’t fully support MS-CHAPv2 or the EAP type configured on the FortiGate doesn’t match what the RADIUS expects.

Try enabling MS-CHAPv2 support on the RADIUS side and make sure the EAP method is aligned between both ends. You can also test the authentication directly with:

diagnose test authserver radius <server_name> <user> <password>

If the test succeeds but FortiClient still fails, it’s likely an EAP negotiation mismatch rather than invalid credentials.


Elwin
Elwin
193
Maerre
Contributor II
In response to ElwinBERRAR

Created on ‎10-30-2025 09:14 AM

Hi,

 

the radius accepts PAP method, if i change to ms chapv2 on fortigate and test the credential if fails.

What do you mean with "EAP method is aligned between both ends", do i need to check if the are both using PAP rather than MS-chapv2?

149
0 Kudos
AEK
SuperUser
SuperUser
In response to Maerre

Created on ‎10-30-2025 09:45 AM

For IKEv2, FortiClient will use EAP-MSCHAPv2.

If you want it PAP then it must be over EAP-TTLS and the FortiClient must be 7.4.3 or newer.

https://docs.fortinet.com/document/forticlient/7.4.0/new-features/907253/eap-ttls-support-for-ipsec-...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-IKEv2-dialup-IPsec-tunnel-with-RADIUS-serv...

AEK
AEK
139
0 Kudos
Maerre
Contributor II
In response to AEK

Created on ‎10-31-2025 01:51 AM

Hello @AEK ,

this is a great advise, thank you so much.

I don't have the EMS version of forticlient so am i still able to modify the xml file as per this guide? https://docs.fortinet.com/document/forticlient/7.4.0/new-features/907253/eap-ttls-support-for-ipsec-... 

 

I'm asking the person who manages the radius (is a linux machine) if he can use MS-CHAPv2 instead of PAP.

91
0 Kudos
AEK
SuperUser
SuperUser
In response to Maerre

Created on ‎10-31-2025 02:01 PM

Hi Maerre

Here is it:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-EAP-TTLS-for-IPSec-IKEv2-tun...

AEK
AEK
61
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.