Technical Tip: Dial-Up IPSec RA Authentication using FortiClient v7.4.4 and 2FA
| Description | This article describes the compatibility between IKEv2 and two-factor authentication (2FA) when using IPSec. |
| Scope | FortiClient, FortiGate. |
| Solution | Starting from FortiClient version 7.4.4, the IKEv1 feature has been removed, and only IKEv2 is supported. When FortiClient IPSec VPN with EAP-TTLS feature tries to connect to the tunnel, no FortiToken prompt will appear: authentication will occur directly.
Note: The above behavior applies to all user types, whether local or using LDAP.
From fnbamd, debug will see no TFA: diagnose debug reset diagnose debug console timestamp enable diagnose vpn ike log filter rem-addr4 <remote address> diagnose vpn ike log filter loc-addr4 <local address> diagnose debug application ike -1 diagnose debug application fnbamd -1 diagnose debug application eap_proxy -1 diagnose debug enable
[239] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 0x11C08EB7001, len=2616 If EAP-TTLS is disabled on FortiClient and EAP-MSCHAPv2 is used instead, a FortiToken prompt will appear. After entering the token, the connection will be established. In this case, from fnbamd and ike debug will see 2FA=yes: diagnose debug reset diagnose debug console timestamp enable diagnose vpn ike log filter rem-addr4 <remote address> diagnose vpn ike log filter loc-addr4 <local address> diagnose debug application ike -1 diagnose debug application fnbamd -1 diagnose debug application eap_proxy -1 diagnose debug enable
ike V=root:0:ipsec:3 EAP 1219920359431 result FNBAM_SUCCESS
Note: This behavior has been fixed in v7.4.9.
Conclusion: For v7.4.8 or earlier, if two-factor authentication is required, IKEv1 should be used. To enable IKEv2 with two-factor authentication, an upgrade to v7.4.9 or higher is necessary. |