New Member

Question

IKEv2 Remote Access VPN – “Wrong EAP Credentials” with FortiAuthenticator + OTP

Forum|Forum|3 months ago
March 10, 2026
3 replies
1337 views

Hello,

I currently have SSL VPN active and I want to switch to IPsec VPN (IKEv2 Remote Access).

Environment:

FortiGate model: FG-101F
FortiOS version: 7.4.11
VPN type: IKEv2 IPsec Remote Access
Authentication: FortiAuthenticator 6.5.6 build 1391 (GA) with OTP
Directory: LDAP users and groups from Active Directory
Client: FortiClient 7.4.3 Hotfix 1 (7.4.3.8758)

I am configuring an IKEv2 IPsec remote access VPN that authenticates users via FortiAuthenticator using LDAP credentials and OTP.

The VPN connection is not successfully established from FortiClient.

Phase 1 (SA_INIT) completes successfully, but the connection fails during user authentication (EAP phase).

FortiClient shows the following error:
Wrong EAP credentials

Has anyone encountered this issue when using IKEv2 with EAP authentication and FortiAuthenticator OTP?

Any suggestions or troubleshooting steps would be appreciated.

Thank you.

authentication

funkylicious

SuperUser

hi,

https://community.fortinet.com/t5/FortiAuthenticator/Troubleshooting-Tip-Token-prompt-not-received-for-IPsec-dial-up/ta-p/427039

https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-Authenticating-Active-Directory-users-to-FortiGate/ta-p/422754

"jack of all trades, master of none"

EltonAuthor

New Member

Thanks Funkylicious for the reply.

I checked the configuration between FortiClient, FortiGate, and FortiAuthenticator and everything seems correct. However, I now get a different error.

In FortiAuthenticator logs I see:

1. EAP session start from 188.xxx.xxx.xxx
2. Remote LDAP user authentication from 188.xxx.xxx.xxx (mschap) with FortiToken failed: invalid password

The user exists in LDAP/AD and the password is correct.

Has anyone experienced this issue or knows what could cause the "invalid password" error when using MSCHAP with FortiToken?

Any help would be appreciated.

ezhupa

Staff

Hello Elton,

Can you test the same connection with IKEv1 and see if the connection establishes?
If it works with IKEV1 you might be running into the same situation as described in the below article:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-IKEv2-dial-up-VPN-with-LDAP-authentication/ta-p/394380

Hope this helps!
Enea

EltonAuthor

New Member

Hello Enea,

Thanks for the reply.

In Ikev1 xauth works fine. In ikev2 eap- mschapv2 I have problems with authentication between foritiauth and AD. I also read the article you sent me but I have a problem here, because there are 300 users in remote vpn with token and I can't make password changes in AD for each user. The article says to use eap-ttls but I still encounter the same problem, it seems to have changed in Forticlient 7.4.3 free xml. I currently have SSL VPN active for these users and it works fine and I want to switch to IPsec Remote Ikev2.

pedroso90

New Member

Sup guys !!

I have the same error, before I update my firewall to 7.4.9 my vpn dial-up + ikev2 + ldap + fortitoken was work fine.

Now it's broken, I have many fw groups, when I select only a group "set authusrgrp FW.TEST" the vpn works fine.

@Elton try to set only one group, for me its work fine, but I need that works with many groups.

Captura de tela 2026-03-26 132055.png

Tks

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded