Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
tbarua
Staff
Staff

Created on ‎10-16-2025 06:51 AM Edited on ‎10-16-2025 06:53 AM By Moderator

Article Id 415294

Technical Tip: How to resolve the 'EAP authentication failed due to missing token' error when using EAP-TTLS /PAP + 2FA Authentication

Description

 

This article describes how to resolve 'EAP authentication failed due to missing token' while using EAP-TTLS/PAP + two-factor authentication in FortiAuthenticator.

 

Scope

 

FortiAuthenticator v6.6.3+, FortiGate, FortiClient. 

 

Solution

 

FortiClient added support for EAP-TTLS in IPSec VPN starting in firmware version 7.4.3. FortiAuthenticator as a RADIUS server supports EAP-TTLS with PAP while using IPSec IKEv2 tunnel. 

 

The FortiClient documentation provides instructions on enabling EAP-TTLS support for EMS-managed FortiClients here:  EAP-TTLS support for IPsec VPN.

 

For unlicensed FortiClients, EAP-TTLS can be enabled by manually editing the configuration file like this: Technical Tip: How to enable EAP-TTLS for IPSec IKEv2 tunnels in VPN-only (unlicenced) FortiClient.

 

However, when using EAP-TTLS/PAP + two-factor authentication and FortiAuthenticator as the RADIUS server, the error "EAP authentication failed due to missing token" may appear in FortiAuthenticator RADIUS logs. For instance: 

 

(23) facauth: wad authenticate binding successful

(23) facauth: Remote LDAP user password authenticated

(23) facauth: Updated auth log 'abc@support' for attempt from 10.10.10.10~11.11.11.100: Remote LDAP administrator authentication partially done, expecting FortiToken <-------------------
(23) facauth: EAP authentication failed due to missing token. <------------
(23) # Executing group from file /usr/etc/raddb/sites-enabled/inner-tunnel
(23) } # server inner-tunnel
(23) Virtual server sending reply
(23) Message-Authenticator := 0x00
(23) eap_ttls: Got tunneled Access-Reject
(23) # Executing group from file /usr/etc/raddb/sites-enabled/default
(23) facauth: Updated auth log 'abc@support' for attempt from 10.10.10.10: 802.1x authentication failed

 

Additionally, no token prompt is displayed in FortiClient during the authentication process, and the authentication attempt fails with the following message in FortiClient:

 

EAP_failure.png

Note that FortiAuthenticator currently does not support challenge-based EAP-TTLS 2FA in the existing versions.

Therefore, the user must use a concatenation token for EAP-TTLS 2FA, which means password + token, for example, p@ssw0rd345678

 

In summary, the user needs to enter their username in the Username field and the concatenated token in the Password field.

136
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.