Technical Tip: IKEv2 Dial-up IPsec VPN authenticating users through LDAP with EAP-TTLS do not receive token prompt on FortiClient

Description

This article describes an issue with IKEv2 dial-up IPsec VPN where users authenticated through LDAP/EAP-TTLS are not receiving a token prompt and are able to connect without a token.

Scope

FortiOS v7.4.

Solution

This issue can occur when a few key elements are in place:

• IKEv2 dial-up tunnel.

• Authentication is performed through LDAP with EAP-TTLS.

• An email token/ A FortiToken associated with connecting users.
  
  

An example configuration is provided below:

config vpn ipsec phase1-interface
    edit "test"
        set type dynamic
        set interface "wan1"
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set eap enable
        set eap-identity send-request
        set ipv4-start-ip 10.212.50.200
        set ipv4-end-ip 10.212.50.250
 

config firewall policy
    edit 314
        set name "vpn_test_remote_0"
        set srcintf "test"
        set dstintf "a"
        set action accept
        set srcaddr "test_range"
        set dstaddr "dst_range"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
        set user test
    next
end

config user local
    edit "test"
        set type ldap
        set two-factor fortitoken
        set fortitoken "FTKMOB03xxxxx"
        set email-to xxx
        set username-sensitivity disable
    next

To troubleshoot, run the following debug commands and look for any errors indicating 'Token push is skipped , waiting for an auth_token request':

diagnose debug application ike -1
diagnose debug application fnbamd -1
diagnose debug enable

 [575] __group_match-Group 'test' passed group matching
[578] __group_match-Add matched group 'test'(17)
[206] find_matched_usr_grps-Passed group matching
[913] update_auth_token_session-Token is needed
[923] update_auth_token_session-Token push is skipped, waiting for an auth_token request instead

[239] fnbamd_comm_send_result-Sending result 7 (nid 0) for req 10630107074583, len=2641
wpad_fnbam_read() -- got response
process_auth_result 807 -- ses_id=10630107074583, currentMethod=21, auth_res=7.
process_auth_result() -- tfa is required, request 10630107074583
process_auth_result 825 -- ftm push required
eap_comm_send_auth_result 282 rsp len:904
ep_auth_session_del 151 -- auth session deleted, ses_id=10630107074583
1752595585.761177: eap_comm_client_read:670, type:0, size:904

To address this problem, EAP-TTLS token support has been added on FortiOS 7.4.9, 7.6.1 on FortiClient 7.4.4 and later versions.

A workaround is to use EAP-MSCHAPV2 instead of EAP-TTLS in the LDAP server, as this will allow the token prompt to be seen on FortiOS/FortiClient versions that do not contain this enhancement for EAP-TTLS or to use IKEv1.

Notes:

• EAP-TTLS support for IPsec VPN 7.4.3, FortiClient v7.4.3 and above now support EAP-TTLS. The only way to enable EAP-TTLS for the free version of FortiClient (FortiClient VPN) is to change and then restore the XML configuration file. See Technical Tip: How to enable EAP-TTLS for IPsec IKEv2 tunnels in VPN-only (unlicensed) FortiClient.

• As of October 2025, FortiClient (Windows) v7.4.4 does not include an updated version of the free VPN-only agent. This is because no feature changes were made to the VPN-only agent between versions 7.4.3 and 7.4.4. Users can continue using the FortiClient v7.4.3 VPN-only agent: Special notices 7.4.4.