Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sramesh1
Staff
Staff

Created on ‎08-12-2025 04:57 AM

Article Id 406069

Technical Tip: Difference in RADIUS Access-Challenge for Multifactor Authentication handling between SSL VPN and IPsec VPN

Description This article explains how FortiGate handles RADIUS Access-Challenge messages between SSL VPN and IPsec VPN, and provides configuration considerations for enabling proper MFA (Multi-Factor Authentication) flow.
Scope FortiGates configured for remote access VPN using SSL VPN or IPsec VPN with RADIUS authentication and MFA (e.g., token-based or push-based 2FA).
Solution

In some scenarios, SSL VPN successfully processes RADIUS Access-Challenge messages for MFA, while IPsec VPN fails to do so. With the same configuration, SSL VPN users complete MFA successfully, but IPsec VPN users are disconnected immediately after the challenge is received.

 

Behavior Overview.


SSL VPN:
SSL VPN natively supports handling of RADIUS Access-Challenge messages. When the RADIUS server sends an Access-Challenge (e.g., requesting OTP or approving push notification), SSL VPN keeps the session in a pending state, forwards the challenge to the client, and resumes authentication once the client responds.


IPsec VPN:
IPsec VPN (including FortiClient) does not handle Access-Challenge in the same way. When the RADIUS server sends an Access-Challenge, the IPsec VPN process does not forward the challenge to the client by default, causing the session to terminate.

 

 Requirement for MS-CHAP on the RADIUS Server for IPsec VPN:

  • For IPsec VPN to handle RADIUS authentication properly in MFA scenarios, the RADIUS server must have MS-CHAP (Microsoft Challenge-Handshake Authentication Protocol) enabled.
  • Without MS-CHAP, the FortiGate cannot negotiate the challenge/response phase for IPsec VPN sessions, and the connection will be dropped after receiving the Access-Challenge.

 

Recommended Configuration Steps:

  • On the RADIUS server:
    • Enable MS-CHAP or MS-CHAPv2 authentication methods.
    • Ensure the VPN user group is allowed to use MS-CHAP.
  • On the FortiGate:
    • For SSL VPN: No additional configuration is needed beyond normal RADIUS MFA setup.
    • For IPsec VPN: - Configure the phase1-interface to use XAuth with PAP/MS-CHAP and test connectivity after enabling MS-CHAP on the RADIUS server.

 

Verification:

  • Enable RADIUS debug on the FortiGate:


diagnose debug enable
diagnose debug application fnbamd -1
diagnose debug console timestamp enable

 

  • Attempt VPN login for both SSL and IPsec to compare handling of Access-Challenge.

 

To disable the debug, run:


diagnose debug disable

 

References:

  • RFC 2759: Microsoft PPP CHAP Extensions

 

Summary Table:


| VPN Type  | Access-Challenge Handling      | MS-CHAP Requirement
|-----------|--------------------------------|--------------------
| SSL VPN   | Supported, natively forwarded  | No
| IPsec VPN | Not natively supported         | Yes

 

Conclusion:
When using IPsec VPN with RADIUS MFA, enabling MS-CHAP on the RADIUS server is necessary to avoid dropped connections after an Access-Challenge. SSL VPN does not require this, as it supports challenge handling by default.
337
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.