Technical Tip: No RADIUS Accounting packets for 'Remote RADIUS Users' when using IKEv2

FortiGate configuration.

RADIUS configuration:

config user radius
    edit "radius01"
        set server "10.191.35.53"
        set secret ENC Mtszg/WNl4o42nv91lK1T67G7rsV...
        set timeout 30
        set all-usergroup enable
        set acct-interim-interval 600
        set auth-type ms_chap_v2
        set require-message-authenticator disable
        set acct-all-servers enable
            config accounting-server
                edit 1
                    set status enable
                    set server "10.191.35.53"
                    set secret ENC QCGWtky/imJrKXLdksRFTKl3fhIi97y...
                    set port 1813
                next
            end
    next
end

Remote RADIUS User:

config user local
    edit "tobias.ahlfors"
        set type radius
        set two-factor fortitoken
        set fortitoken "FTKMOB028CA23F11"
        set radius-server "radius01"
    next
end

RADIUS User.
Username: normal.user.

Group for testing with Remote RADIUS User:

config user group
    edit "ipsec-vpn-admin"
        set member "tobias.ahlfors"
    next
end

Group for testing with RADIUS User:

config user group
    edit "ipsec-vpn-admin"
        set member "radius01"
    next
end

A capture on both scenarios shows that RADIUS Accounting packets are not being sent for the case when a Remote RADIUS user is being used.

RADIUS User: normal.user.

Remote RADIUS User: tobias.ahlfors.

Note: This is currently under investigation, and there is no fix available yet.

This only affects IKEv2 with Remote RADIUS User, on IKEv1, there is no issue, so a possible workaround is to use IKEv1 if FortiToken is mandatory.

Related article:

Technical Tip: Configure Fortinet Single Sign On (FSSO) for Dialup IPsec VPN users via Radius-Accounting
Technical Tip: A guide to Dial-Up IPSec VPN Authentication and Policy Matching