Skip to main content
limbaev
limbaev
Visitor III
October 12, 2025
Question

ipsec with fortiauthenticator sms

  • October 12, 2025
  • 2 replies
  • 963 views

Hello is there a way to make this work, ipsec with fortiauthenticator User + sms?
only user working throw fortiauthenticator but sms no, in sslvpn all working good with sms.
Without fortitoken or cloud

2 replies

AEK
SuperUser
AEK
SuperUser
October 12, 2025

Hi

What do you see in FAC auth logs?

Can you also try with mail OTP, just to see if it works.

On the other hand know that SMS token is not recommended anymore (for security).

AEK
    limbaev
    limbaevAuthor
    Visitor III
    October 12, 2025

    ID 2524767 | EAP Authentication Start — EAP session start from [MyIP]
    ID 2524768 | Authentication Partially OK — “expecting SMS token”
    ID 2524769 | 802.1x Authentication Failed
    ID 2524770 | EAP-GTC login failed by [MyUsername] from [MyIP]

     

     

    What this indicates:

    • The user’s credentials (LDAP) are validated (“Partially OK”)

    • FAC issues an SMS token challenge

    • But the login ultimately fails (EAP-GTC failure) — meaning the client either did not respond or the response was rejected

    In FortiGate debug (fnbamd / RADIUS flow):

    • I see Sent radius req to server 'FSA': i.e. the Access-Request is being forwarded

    • I see RADIUS resp code 11 (challenge) and later RADIUS resp code 3 (reject)

    • FortiGate logs: EAP failed for user "Username"

    So the flow is working to the point of challenge/response. The failure is in the response — the token response is not being accepted or returned.

    What I’ve verified / tried:

    • I enabled the setting in FAC to allow SMS fallback / challenge

    • The user’s mobile number is set

    • Without SMS (i.e. token disabled) the VPN connects fine

    • But with SMS challenge, the login fails

     

     

    AEK
    SuperUser
    AEK
    SuperUser
    October 12, 2025

    As part of troubleshooting can you try mail OTP?

    AEK
    AEK
    SuperUser
    AEK
    SuperUser
    October 13, 2025

    Hi Limbaev

    Do you have multiple authentication servers configured on FGT? And is the user "MyUsername" defined on more than one authentication servers? In that case probably another authentication server has responded to the authentication request before the FAC's RADIUS server.

    This is because FGT sends the auth request to all the configured auth servers and the first one who responds will be considered.

    AEK
    limbaev
    limbaevAuthor
    Visitor III
    October 13, 2025

    No only 1, and i shared the logs from fortiauthenticator that see the connection

    Terms & ConditionsAccessibility statement