Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
Wallerson
Staff
Staff

Created on ‎11-07-2025 05:26 AM

Article Id 418087

Technical Tip: Local User with 'Administrator' role cannot authenticate in IKEv2 Dialup IPSec

Description This article explains the reason for the authentication failure of local users on FortiAuthenticator with the 'Administrator role'
Scope FortiAuthenticator.
Solution

FortiAuthenticator is the RADIUS server to the FortiGate that provides VPN Dialup IPSec with IKEv2 for the users.

 

For FortiGate configuration, refer to the following KB articles:

Technical Tip: IKEv2 Dialup IPsec tunnel with RADIUS and FortiToken MFA

Technical Tip: How to configure IPsec VPN Tunnel using IKE v2

 

The VPN login is created on FortiAuthenticator as a Local User with 'Administrator' role.

 

06.png

 

Upon connecting to the VPN the error message 'EAPPasswordError' is displayed on FortiClient. The FortiAuthenticator debug log shows the following errors:

 

2025-11-06T12:14:09.824668-03:00 FortiAuthenticator radiusd[8155]: (2) facauth: Local user found: test.ipsec
2025-11-06T12:14:09.824684-03:00 FortiAuthenticator radiusd[8155]: (2) facauth: User [enable fido: false, token count: 0, revoked_token_count: 0]
2025-11-06T12:14:09.824688-03:00 FortiAuthenticator radiusd[8155]: (2) facauth: Policy [fido_auth_opt: disabled, twofactor: force both, no_fido: two factor, revoked: reject]
2025-11-06T12:14:09.824692-03:00 FortiAuthenticator radiusd[8155]: (2) facauth: Decided on [is_fido: false, two_factor: force both, token_type: Fortitoken]
2025-11-06T12:14:09.825065-03:00 FortiAuthenticator radiusd[8155]: (2) facauth: ERROR: ERROR: local user 'test.ipsec' auth require "User-Password" (pap)
2025-11-06T12:14:09.825086-03:00 FortiAuthenticator radiusd[8155]: (2) facauth: Authentication failed
2025-11-06T12:14:09.825882-03:00 FortiAuthenticator radiusd[8155]: (2) facauth: update_fac_authlog:164 nas_str = 172.30.0.25~192.168.194.200.
2025-11-06T12:14:09.825923-03:00 FortiAuthenticator radiusd[8155]: (2) facauth: Updated auth log 'test.ipsec' for attempt from 172.30.0.15~190.210.194.200: Local administrator authentication from 192.168.194.200 (mschap) with FortiToken failed: invalid user parameter
2025-11-06T12:14:09.826025-03:00 FortiAuthenticator radiusd[8155]: (2) # Executing group from file /usr/etc/raddb/sites-enabled/default
2025-11-06T12:14:10.155786-03:00 FortiAuthenticator radiusd[8155]: Waking up in 0.6 seconds.
2025-11-06T12:14:10.827796-03:00 FortiAuthenticator radiusd[8155]: (2) Sent Access-Reject Id 91 from 172.30.0.80:1812 to 172.30.0.25:15841 length 44
2025-11-06T12:14:10.827810-03:00 FortiAuthenticator radiusd[8155]: (2) Message-Authenticator := 0x00
2025-11-06T12:14:10.827814-03:00 FortiAuthenticator radiusd[8155]: (2) EAP-Message = 0x04b40004

 

FortiClient will use EAP-MSCHAPv2 authentication by default. Please refer to the following documentation:

EAP-TTLS support for IPsec VPN

 

The authentication for Local Users with the 'Administrator' role will not work because accounts with the 'Sponsor' or 'Administrator' role always use irreversible cryptography (i.e., bcrypt hash), while Local Users with the 'User' role use reversible cryptography (i.e., AES256).  Refer to Local user account password storage

 

The Local Users with 'User' role will authenticate correctly.
108
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.