: The user authenticated successfully against a backend (like RADIUS or LDAP), but they do not belong to the specific user group allowed in the FortiGate policy.
It often appears in conjunction with EAP-MSCHAPv2 or EAP-TTLS errors, particularly when integrating FortiGate with third-party multi-factor authentication (MFA) tools like DUO or RADIUS servers. Primary Causes of FNBAM_DENIED fnbam_denied
FNBAM_DENIED stands for . It is a generic, yet critical, failure message in FortiOS when the fnbamd process—responsible for handling user authentication (LDAP, RADIUS, Local)—rejects the authentication request from a user attempting to connect to a VPN. : The user authenticated successfully against a backend
: Ensure the user is explicitly part of the group defined in config user group and that this group is referenced in your firewall policy. It is a generic, yet critical, failure message
This article provides a comprehensive guide to understanding why this error occurs, how to troubleshoot it, and the best practices to resolve it. What is FNBAM_DENIED?
: If you are using SAML, use a guide like the FortiGate IPsec VPN with SAML to ensure your Assertion Attributes are mapped correctly to the FortiAuthenticator or other IdP.
However, if this error appears frequently for legitimate users, it indicates a "false positive"—a situation where security settings are too strict. This can lead to user frustration and increased support ticket volumes.