Duplicate FortiToken Mobile push notifications when using IPSec with Radius authentication.

Hi,

We are migrating our SSL VPN to IPSec VPN (IKEv2), so moving the users from Ldap (AD) to Radius (NPS).

Users can use SSL and IPSec simultaneously, which is great. But we faced an issue with duplicate push notifications when using FortiToken Mobile in conjunction with Radius authentication. If the same user connects to SSL VPN, he/she only gets one push notification, if the user is Local (without Radius or Ldap) he/she also gets only one push notification. So, the issue is only when using Radius authentication.

ftm-push debug shows duplicate FTM messages in case of Radius (identical with the same token and reg_id), in other cases there is only one FTM message.

What could be the issue and possible solutions?

FortiGate-70F, FortiOS v7.2.11.

===user config=== config user local     edit "user"         set type radius         set two-factor fortitoken         set fortitoken "FTKMOB***"         set email-to "***"         set radius-server "dc1-radius-new"     next end ===radius config=== config user radius     edit "dc1-radius-new"         set server "x.x.x.x"         set secret ENC ***         set auth-type ms_chap_v2         set password-renewal disable     next end ===ipsec config=== config vpn ipsec phase1-interface     edit "ipsec-02"         set type dynamic         set interface "wan1"         set ike-version 2         set peertype one         set net-device disable         set mode-cfg enable         set ipv4-dns-server1 x.x.x.x         set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256         set dhgrp 21 20         set eap enable         set eap-identity send-request         set peerid "***"         set ipv4-start-ip x.x.x.x         set ipv4-end-ip x.x.x.x         set ipv4-netmask x.x.x.x         set ipv4-split-include "***"         set psksecret ENC ***     next end ===