Skip to main content
FortiNet_Newb
FortiNet_Newb
New Member
September 9, 2025
Solved

IPsec IKEv2 VPN with LDAP username/password, computer certificate, and MFA

  • September 9, 2025
  • 5 replies
  • 8516 views

We currently have a dial-up SSL VPN configuration that requires a user to connect using both their Windows AD (LDAP) credentials AND a local computer certificate issued from our internal Windows CA.  On top of that, we use FortiToken with push notifications for MFA on the LDAP user accounts.

 

With the recent push to migrate away from SSL VPN and switch over to using IPsec IKEv2 VPNs instead, I have not been able get the same requirements to work via IPsec.

 

Our setup includes:

FortiOS – 7.4.8

FortiEMS – 7.4.3

FortiClient – 7.4.3

FortiToken  Subscription (not cloud)

Windows NPS for RADIUS (not FAC)

 

Is this even possible with the above?  Seems like it is supported, but I can not get it to work with NPS.

 

According to the article below, I should be able to get FortiToken MFA push notifications working using local RADIUS user accounts:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-IKEv2-Dialup-IPsec-tunnel-with-RADIUS-and/ta-p/220818 

…but as soon as I enable FortiToken on a RADIUS user account, NPS fails authentication (error code 16).  If I don't enable FortiToken, simple RADIUS user authentication works fine.

 

If I try to leave out the MFA requirement, I can’t seem to get the right combination of settings on the IPsec Tunnel and in FortiClient (using EMS) to require both a username/password AND a local computer certificate to authenticate successfully using NPS.  I can get one or the other working.

 

Any guidance would be appreciated.

 

Thanks!

Best answer by FortiNet_Newb

I don't think that was the issue that was causing our problem, because the re-importing the certificate workaround didn't make any difference in our case.

 

However, I am happy to report that the recently released FortiClient v7.4.5 did resolve our issue with machine certs.

5 replies

kcheng
Staff & Editor
kcheng
Staff & Editor
September 10, 2025

Hi @FortiNet_Newb 

 

You might want to check out the following article to see if it matches the issue that you are facing:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Multi-Factor-Authentication-support-for-Windows/ta-p/407272

    FortiNet_Newb
    FortiNet_NewbAuthor
    New Member
    September 10, 2025

    According to the article, "However, as of now, the FortiToken (MFA) is not supported on Windows FortiClient with LDAP (EAP-TTLS)."

     

    So I take this to mean that using a FortiGate user account of type "LDAP" with FortiToken MFA is not yet possible when using IPsec IKEv2.

     

    This indeed appears to be the case, so it looks like the only available option for IPsec IKEv2 with FortiToken MFA and Windows AD accounts is to use a user account type of "RADIUS" which is the path I'm trying to go down.

    tbarua
    Staff
    tbarua
    Staff
    September 12, 2025

    Hi @FortiNet_Newb

     

    Yes, you are correct; as of now, Windows FCT 7.4.3 does not support IPsec IKEv2 EAP-TTLS 2FA . The issue has already been reported as a known issue 1031789. 

     

     

    tbarua
    Staff
    tbarua
    Staff
    September 10, 2025

    Hi FortiNet_Newb,

    As per your description, it should be supported. Please run the following command in FGT and reproduce the issue: 

     

    diag debug reset

    diag debug console timestamp enable

    diag debug app fnbamd -1

    diag debug app ike -1

    diagnose vpn ike log filter rem-addr4 x.x.x.x     >public ip

    diag debug enable

     

      FortiNet_Newb
      FortiNet_NewbAuthor
      New Member
      September 10, 2025

      A little progress this morning....

       

      I was able to finally get FortiToken MFA to work on a FG RADIUS user account.  

       

      As I mentioned in my original post, when I followed these instructions (https://community.fortinet.com/t5/FortiGate/Technical-Tip-IKEv2-Dialup-IPsec-tunnel-with-RADIUS-and/ta-p/220818), my Windows NPS was rejecting the authorization.

       

      I found what was causing the issue in our environment.  We apply Microsoft's Security Baseline GPO's to our servers.  One of the MS security baseline GPO's sets the LmCompatibilityLevel to 5, which causes our servers to refuse LM and NTLM authentication responses, and allows only NTLMv2 responses.  Because the NPS server only accepts NTLMv2 with that GPO applied, the MS-CHAP-v2 request from the FortiGate was being denied.

       

      As soon as I applied the registry work around found here, the FortiToken MFA with FortiGate RADIUS user authentication started working immediately.  I'm not sure how secure this is, so I have removed the work around for now and am looking for alternative solutions.

       

        MZBZ
        Staff
        MZBZ
        Staff
        September 13, 2025

        This setup is  completely possible with FortiClient 7.4.4 and FortiOS 7.6GA or FortiOS 7.4.9 (to be released). 2FA for username and password can be added on FortiGate or preferably on FortiAuthenticator.

         

        Configuration will be mixing these:

        https://docs.fortinet.com/document/fortigate/7.6.4/administration-guide/442351/ldap-authentication-with-ikev2-using-udp-or-tcp-as-transport

        https://docs.fortinet.com/document/fortigate/7.6.4/administration-guide/298520/ipsec-ikev2-vpn-2fa-with-eap-and-certificate-authentication

        https://docs.fortinet.com/document/fortigate/7.6.4/administration-guide/443323/dialup-ipsec-vpn-with-certificate-authentication

        https://docs.fortinet.com/document/fortigate/7.4.8/administration-guide/432323/cross-validation-for-ipsec-vpn

         

        IKEv2 with EAP-TTLS and in-band 2FA requires FortiClient 7.4.4.

        FortiNet_Newb
        FortiNet_NewbAuthor
        New Member
        October 22, 2025

        OK, with FortiClient 7.4.4, using IPsec IKEv2 I am now able to require a VPN user:

        • to have a user certificate issued from our internal Windows CA,
        • still prompt them to supply their current Windows AD credentials, and
        • accept a FortiToken MFA push request

        However, I still can not get this to work when using machine certificates instead (not user certificates).  All of our machines have machine certs issued by our internal Windows CA.  These machine certificates currently work great with our SSL VPN connection, and allow our users to connect to the VPN pre-logon when needed.

        Does anyone have an example configuration that allows the use of local machine (NOT user) certificates to authenticate and still require username/password and FortiToken MFA?

        Matt_B
        Staff & Editor
        Matt_B
        Staff & Editor
        December 9, 2025

        If it works for SSL VPN, this suggests FortiClient itself has the required permissions to access the cert. For IPsec, ensure <run_fcauth_system> is enabled for the VPN connection profile. It is disabled by default.
        https://docs.fortinet.com/document/forticlient/7.4.4/xml-reference-guide/96295

        Is it a bug, is it a feature? It's... not in spec!
        FortiNet_Newb
        FortiNet_NewbAuthor
        New Member
        December 10, 2025

        @Matt_B 

        <run_fcauth_system> is enabled in the VPN connection profile.

         

        See my other thread: Solved: IPsec IKEv2 Dialup using LDAP Machine Cert authent... - Fortinet Community

         

        I have determined that there is an issue with FortiClient 7.4.4 regarding the use of machine certificates in general for IPsec IKEv2.  I am able to successfully use machine certificates (with no other changes) if I downgrade to FortiClient 7.4.3. However, I need the new authentication features that were added in 7.4.4 to get to my desired state.  Hoping the Machine cert issue is ironed out in the next FC release.

         

        Terms & ConditionsAccessibility statement