Starting from FortiClient version 7.4.4, IKEv1 feature has been removed, and only IKEv2 is supported.

When FortiClient IPSec VPN with EAP-TTLS feature tries to connect to the tunnel, no FortiToken prompt will appear: authentication will occur directly.

Note:

The above behavior applies to all user types, whether local or using LDAP.

From fnbamd, debug will see no TFA:

diagnose debug application fnbamd -1
diagnose debug application ike -1
diagnose debug enable

[239] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 0x11C08EB7001, len=2616
ike V=root:0:ipsec:0 EAP 1219920359425 result FNBAM_SUCCESS
ike V=root:0:ipsec: EAP succeeded for user "test_user" group "local" 2FA=no <<<<<
[516] fnbamd_rad_auth_ctx_free-Freeing 'EAP_PROXY' ctx

If EAP-TTLS is disabled on FortiClient and EAP-MSCHAPv2 is used instead, a FortiToken prompt will appear. After entering the token, the connection will be established. In this case, from fnbamd and ike debug will see 2FA=yes:

diagnose debug application fnbamd -1
diagnose debug application ike -1
diagnose debug enable

ike V=root:0:ipsec:3 EAP 1219920359431 result FNBAM_SUCCESS
[1251] fnbamd_rads_destroy-
[516] fnbamd_rad_auth_ctx_free-Freeing 'EAP_PROXY' ctx
[1123] fnbamd_rad_auth_ctx_uninit-
[883] __rad_stop-
[257] __rad_udp_close-closed.
ike V=root:0:ipsec: EAP succeeded for user "user1" group "local" 2FA=yes <-----
ike V=root:0:ipsec:3: responder preparing EAP pass through message

Note:

This behavior has been fixed in v7.4.9.

Conclusion:

For v7.4.8 or earlier, if two-factor authentication is required, IKEv1 should be used. To enable IKEv2 with two-factor authentication, an upgrade to v7.4.9 or higher is necessary.