Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmonte
Staff
Staff

Created on ‎09-26-2025 01:41 AM Edited on ‎11-18-2025 05:55 AM By Moderator

Article Id 412786

Technical Tip: Dial-Up IPSec RA Authentication using FortiClient v7.4.4 and 2FA

Description This article describes the compatibility between IKEv2 and two-factor authentication (2FA) when using IPSec.
Scope FortiClient, FortiGate.
Solution

Starting from FortiClient version 7.4.4, the IKEv1 feature has been removed, and only IKEv2 is supported.

When FortiClient IPSec VPN with EAP-TTLS feature tries to connect to the tunnel, no FortiToken prompt will appear: authentication will occur directly.

 

Note:

The above behavior applies to all user types, whether local or using LDAP.

 

From fnbamd, debug will see no TFA:

diagnose debug reset

diagnose debug console timestamp  enable

diagnose vpn  ike log  filter  rem-addr4 <remote address> 

diagnose vpn ike log filter loc-addr4 <local address> 

diagnose debug application  ike -1

diagnose debug application  fnbamd  -1

diagnose debug application  eap_proxy -1

diagnose debug enable

 

[239] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 0x11C08EB7001, len=2616
ike V=root:0:ipsec:0 EAP 1219920359425 result FNBAM_SUCCESS
ike V=root:0:ipsec: EAP succeeded for user "test_user" group "local" 2FA=no <---
[516] fnbamd_rad_auth_ctx_free-Freeing 'EAP_PROXY' ctx

If EAP-TTLS is disabled on FortiClient and EAP-MSCHAPv2 is used instead, a FortiToken prompt will appear. After entering the token, the connection will be established. In this case, from fnbamd and ike debug will see 2FA=yes:

diagnose debug reset

diagnose debug console timestamp  enable

diagnose vpn  ike log  filter  rem-addr4 <remote address> 

diagnose vpn ike log filter loc-addr4 <local address> 

diagnose debug application  ike -1

diagnose debug application  fnbamd  -1

diagnose debug application  eap_proxy -1

diagnose debug enable

 

ike V=root:0:ipsec:3 EAP 1219920359431 result FNBAM_SUCCESS
[1251] fnbamd_rads_destroy-
[516] fnbamd_rad_auth_ctx_free-Freeing 'EAP_PROXY' ctx
[1123] fnbamd_rad_auth_ctx_uninit-
[883] __rad_stop-
[257] __rad_udp_close-closed.
ike V=root:0:ipsec: EAP succeeded for user "user1" group "local" 2FA=yes <-----
ike V=root:0:ipsec:3: responder preparing EAP pass through message

 

Note:

This behavior has been fixed in v7.4.9.

 

Conclusion:

For v7.4.8 or earlier, if two-factor authentication is required, IKEv1 should be used. To enable IKEv2 with two-factor authentication, an upgrade to v7.4.9 or higher is necessary.
642
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.