After upgrading the FortiAuthenticator versions to 6.6.1 or 6.6.2, users who are trying to connect to VPN via FortiClient with push Tokens or manually enter the Token are facing this issue:

date=2025-xy-xy time=02:08:42+0000 oid=810001 logid=20328 cat="Event" subcat="Authentication" level="information" nas="ip address" action="Authentication" status="Failed" msg="user authentication error: user not partially authenticated" user="test.user"
date=2025-xy-xy time=02:08:42+0000 oid=810000 logid=20300 cat="Event" subcat="Authentication" level="information" nas="ip address" action="Authentication" status="Pending" msg="Remote LDAP administrator authentication partially done, expecting FortiToken" user="test.user"

date=2025-xy-xyT07:50:14.118803+02:00 FortiAuthenticator radiusd[10677]:(1)facauth: ERROR: Unable to do push auth for user test.user due to missing registration ID
date=2025-xy-xyT07:50:14.118819+02:00 FortiAuthenticator radiusd[10677]:(1)facauth: ERROR: Failed to send FTM push notification, challenge user (again) to enter token code manually
date=2025-xy-xyT07:50:14.118824+02:00 FortiAuthenticator radiusd[10677]:(1)facauth: Successfully found partially authenticated user instance.
date=2025-xy-xyT07:50:14.119223+02:00 FortiAuthenticator radiusd[10677]:(1)facauth: check_user_lockout: fail_count=0 period=-1 reason=-1
date=2025-xy-xyT07:50:14.119364+02:00 FortiAuthenticator radiusd[10677]:(1)facauth: Sending Access-Challenge.
date=2025-xy-xyT07:50:14.119373+02:00 FortiAuthenticator radiusd[10677]:(1)facauth: update_fac_authlog:164 nas_str = IP1~IP2.
date=2025-xy-xyT07:50:14.119397+02:00 FortiAuthenticator radiusd[10677]:(1)facauth: Updated auth log 'test.user' for attempt from IP1~IP2: Remote LDAP user authentication partially done, expecting FortiToken
date=2025-xy-xyT07:50:14.119404+02:00 FortiAuthenticator radiusd[10677]:(1)facauth: facauth: print reply attributes of request id 92:
date=2025-xy-xyT07:50:14.119410+02:00 FortiAuthenticator radiusd[10677]:Message-Authenticator := 0x00
date=2025-xy-xyT07:50:14.119415+02:00 FortiAuthenticator radiusd[10677]:Reply-Message = "Please enter your token code manually"
date=2025-xy-xyT07:50:14.119418+02:00 FortiAuthenticator radiusd[10677]:Fortinet-FAC-Challenge-Code = "001"

In v6.6.2, FortiAuthenticator checks the reg_id before trying push notification and notices the issue with reg_id.

This causes FortiAuthenticator to send another challenge to the client, asking for a token code instead.

FortiGate and FortiClient are not coded to handle a second challenge, so the login attempt essentially freezes.

Possible solution and workaround:

• Disable the push notification for that RADIUS Client, and create a separate RADIUS policy for affected users with push disabled.
• For the affected users try to re-provision a new FortiToken Mobile to fix the empty reg_id issue. reg_id is the unique identifier on the Apple/Google push services for the FortiToken Mobile app. An empty reg_id signifies a problem with the phone registering with the vendor's push services. As an example, Android phones that do not have the Google Services installed by the factory, will not be able to register at the Google push services. Re-provisioning the token will not fix this.

FortiAuthenticator will then first check reg_id, before offering push notification in the first place.
If there is an issue with the reg_id, FortiAuthenticator will not offer push notification at all and skip to requesting code immediately.

This issue is resolved in v6.6.3: Resolved issues