Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
tbarua
Staff
Staff

Created on ‎10-16-2025 06:51 AM Edited on ‎11-24-2025 02:47 AM By Moderator

Article Id 415294

Technical Tip: How to resolve the 'EAP authentication failed due to missing token' error when using EAP-TTLS /PAP + 2FA Authentication

Description

 

This article describes how to resolve 'EAP authentication failed due to missing token' while using EAP-TTLS/PAP + two-factor authentication in FortiAuthenticator.

 

Scope

 

FortiAuthenticator v6.6.3+, FortiGate, FortiClient. 

 

Solution

 

FortiClient added support for EAP-TTLS in IPSec VPN starting in version 7.4.3. FortiAuthenticator as a RADIUS server supports EAP-TTLS with PAP while using IPSec IKEv2 tunnel. 

 

Enabling EAP-TTLS:

The FortiClient documentation provides instructions on enabling EAP-TTLS support for EMS-managed FortiClients here: EAP-TTLS support for IPsec VPN.

 

For unlicensed FortiClients, EAP-TTLS can be enabled by manually editing the configuration file like this: Technical Tip: How to enable EAP-TTLS for IPSec IKEv2 tunnels in VPN-only (unlicensed) FortiClient.

 

On FortiAuthenticator, allowed EAP types are configured in Authentication -> RADIUS Service -> Policies, see FortiAuthenticator v6.6.7 Administration Guide | RADIUS Policies. Note that when using FortiAuthenticator as a RADIUS server, the EAP-TTLS authentication tunnel from FortiClient terminates on FortiAuthenticator and not on FortiOS. For more details, see this article: Technical Tip: FortiOS IKEv2 EAP user authentication operation.

 

However, when using EAP-TTLS/PAP + two-factor authentication and FortiAuthenticator as the RADIUS server, the error 'EAP authentication failed due to missing token' may appear in FortiAuthenticator RADIUS logs. For instance: 

 

(23) facauth: wad authenticate binding successful

(23) facauth: Remote LDAP user password authenticated

(23) facauth: Updated auth log 'abc@support' for attempt from 10.10.10.10~11.11.11.100: Remote LDAP administrator authentication partially done, expecting FortiToken <-------------------
(23) facauth: EAP authentication failed due to missing token. <------------
(23) # Executing group from file /usr/etc/raddb/sites-enabled/inner-tunnel
(23) } # server inner-tunnel
(23) Virtual server sending reply
(23) Message-Authenticator := 0x00
(23) eap_ttls: Got tunneled Access-Reject
(23) # Executing group from file /usr/etc/raddb/sites-enabled/default
(23) facauth: Updated auth log 'abc@support' for attempt from 10.10.10.10: 802.1x authentication failed

 

Additionally, no token prompt is displayed in FortiClient during the authentication process, and the authentication attempt fails with the following message in FortiClient:

 

EAP_failure.png

As of November 2025, no FortiAuthenticator version supports challenge-based EAP-TTLS 2FA.

 

As a workaround, the user must use a concatenation token for EAP-TTLS 2FA, which means password + token, for example, p@ssw0rd345678

 

In summary, if an LDAP user has 2FA enabled on FortiAuthenticator and is connecting to IKEv2 VPN, they must enter their username in the Username field and the password + token in the Password field.

 

Note:

Since an email or SMS token can only be received after entering the username and password, token concatenation for EAP-TTLS does not work with either SMS or Email as a two-factor method. This also applies to FortiIdentity Cloud (formerly FortiTokenCloud) if it uses SMS or Email as a two-factor method.

735
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.