diagnose debug reset diagnose debug application fnbamd -1 diagnose debug application eap_proxy -1 diagnose debug enable Use code with caution.
When integrating with OTP/MFA systems, the fnbamd often times out or receives a rejection because the OTP must be passed through a specific PAP/RADIUS request rather than CHAP. Use EAP-TTLS for RADIUS authentication.
The fnbamd process is overworked, leading to timeouts in high-traffic scenarios. Troubleshooting Steps fnbam_denied
Disable "Enable Single Sign On (SSO) for VPN Tunnel" in the FortiClient settings. Solution: Change EAP authentication to "Prompt on login". Scenario C: FNBAMD Stalling (High Load)
Ensure that the user is part of the LDAP/Radius group defined in the set authusrgrp "radius_vpn" configuration. Solutions to Common FNBAM_DENIED Scenarios Scenario A: DUO MFA / RADIUS Problems diagnose debug reset diagnose debug application fnbamd -1
It often appears in conjunction with EAP-MSCHAPv2 or EAP-TTLS errors, particularly when integrating FortiGate with third-party multi-factor authentication (MFA) tools like DUO or RADIUS servers. Primary Causes of FNBAM_DENIED
| Field | Value | |--------|-------| | | fnbam_denied | | Timestamp | 2026-04-14T08:22:17Z | | User ID | jdoe@company.com | | Session ID | sess_9f3k2d1a | | Source IP | 192.168.12.45 (Corporate LAN) | | Resource Attempted | /api/v1/fnbam/mandate/approve/12345 | | Required Permission | fnbam.mandate.approve | | User’s Effective Role | Finance Analyst (Missing: Finance Approver role) | | User Agent | Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/123.0.0.0 | The fnbamd process is overworked, leading to timeouts
Test the user credentials here to ensure the backend is working correctly. 3. Check Certificate Trust