Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Matt_B
Staff & Editor
Staff & Editor

Created on ‎12-20-2025 06:06 AM Edited on ‎01-10-2026 07:00 AM By Community Manager

Article Id 424015

Technical Tip: FortiOS IKEv2 Dialup tunnel with RADIUS and DUO MFA

Description

This article demonstrates how to configure a dial-up IPsec VPN using IKEv2 and Multi-Factor Authentication (MFA) with Duo authentication proxy.
Scope FortiOS v6.2.4 and later, dial-up IKEv2 VPN.
Solution

This article refers to non-SSO authentication. For an example of a VPN deployment using SSO authentication, see this article: Technical Tip: How to configure Microsoft Entra ID SAML authentication for Dial-up IPsec VPN.

This article is a companion article to Technical Tip: IKEv2 Dialup IPsec tunnel with RADIUS and FortiToken MFA, demonstrating how to integrate third-party MFA in place of FortiToken Mobile.

Requirements:

  • VPN client supporting EAP-MSCHAPv2 authentication (e.g., FortiClient v6.2.1 or later).
  • FortiOS v6.2.4 or later.
  • Third-party RADIUS authentication proxy supporting EAP-MSCHAPv2 (e.g., Duo Authentication Proxy v6.5.1 or later).
  • NPS Server.

 

Duo_auth_proxy_eap.png

 

Configure the Duo application:

Refer to the third-party article Duo Two-Factor Authentication with RADIUS and Primary Authentication for basic steps.

  1. Enroll one or more MFA users in Duo, see the third-party reference Enrolling Users. Optionally, assign the user(s) to a Duo user group for ease of administration.
  2. Go to Applications -> Applications -> Search for RADIUS or 'FortiGate SSL VPN'.

    duo_admin_02.png
    duo_admin_01.png

Note: The 'support ending' flag on the 'Fortinet FortiGate SSL VPN' Duo application refers to Duo support for the traditional Duo Prompt using iFrame, which IKEv2 does not use. See the third-party reference Guide to Traditional Duo Prompt End of Support for more information. It is possible to use either application template to configure the Duo application for IKEv2.

 

  1. Note the Integration Key, Secret Key, and API hostname of the application. The secret key is sensitive and should only be entered in the authentication proxy configuration.


duo_admin_05mod.png

 

Configure the Duo authentication proxy:

  1. Install Duo authentication proxy on a Windows or Linux server and verify the proxy version. Note that the proxy must be at least version 6.5.1 or 6.6.0 to support EAP-MSCHAPv2. See the third-party reference: Does the Duo Authentication Proxy support EAP or PEAP?

    duo version.png                                              
  2. Configure the Authentication Proxy by editing the authproxy.cfg file.

 

; CLIENTS: Include one or more of the following configuration sections.
; To configure more than one client configuration of the same type, append a
; number to the section name (e.g. [ad_client2])

 

[radius_client]
host=172.16.1.10 <-- NPS IP address.
secret=DUO_NPS_RADIUS_secret
pass_through_all=true <-- Only required if the configured NPS RADIUS VSA, such as Fortinet-group-name, should be forwarded from NPS to FortiGate, see this article: Technical Tip: Configuring FortiGate and Microsoft NPS (Radius with AD authentication).


; SERVERS: Include one or more of the following configuration sections.
; To configure more than one server configuration of the same type, append a
; number to the section name (e.g. radius_server_auto1, radius_server_auto2)

 

[radius_server_auto]
ikey=****************NDY3 <-- DUO application integration key.
skey=************************************aIAX <-- DUO application secret key.
api_host=api-abcdef12.duosecurity.com <-- Duo application API hostname.
radius_ip_1=172.16.1.15 <-- FortiGate NAS IP address.
radius_secret_1=DUO_FGT_RADIUS_secret
failmode=safe
client=radius_client <-- Not ad_client.
port=1812  <-- By default, RADIUS port number is 1812. If the DUO Authentication Proxy Server and NPS Server is the same, it is recommended to use an alternative port number to avoid conflict with DUO Proxy and NPS connection.

force_message_authenticator=true <-- message-authenticator should be enabled on FortiGate and Duo, or disabled on both.

 

By default, it is disabled on the Duo authentication proxy and enabled on FortiGate. See the article Troubleshooting Tip: RADIUS authentication failure after the firmware upgrade to v7.2.10/v7.4.5/v7.6....

 

If needed, secrets in this file can be encrypted. See the third-party reference How do I use the Duo Authentication Proxy password encryption tool?

 

If [ad_client] is configured on DUO Authentication Proxy, validating the configuration will show below errors.

Picture1.png

  1. Start or Restart the Authentication Proxy Service.

duo_service.png


Configure NPS server:

The NPS configuration is similar to Technical Tip: IKEv2 Dialup IPsec tunnel with RADIUS and FortiToken MFA, updating the FortiGate IP address and secret with the Duo authentication proxy.

 

nps_01.png

 

NPS_02.png


If there are multiple Access Client IPv4 addresses, separate the addresses using a comma.

Picture2.png

FortiOS configuration:

FortiGate configuration is similar to Technical Tip: IKEv2 Dialup IPsec tunnel with RADIUS and FortiToken MFA, with the following differences:

 

RADIUS server configuration references the Duo authentication proxy IP address and uses the RADIUS secret shared between Duo and FortiGate:


config user radius

    edit "Duo-Proxy"

        set server "172.16.1.22"
        set secret DUO_FGT_RADIUS_secret
        set timeout 60 <-- Extended to allow for third-party MFA.
        set nas-ip 172.16.1.15

        set radius-port <RADIUS PORT>

        set require-message-authenticator { enable | disable } <-- Must match authproxy.cfg setting.

    next

end

 

By default, the RADIUS port number is 1812. If the DUO Authentication Proxy Server and NPS Server are the same, it is recommended to use an alternative port number to avoid conflict with the DUO Proxy and NPS connection.
To edit the port used to connect with the RADIUS server.

 

config user radius

    edit "Duo-Proxy"

        set radius-port <Alternative RADIUS PORT>

    next

end

 

Since no FortiToken is assigned, no remote RADIUS user is defined. Instead, the user group is configured to reference the radius server directly.

 

config user group

    edit "Escalations-Radius-DC1"

        set member "Duo-Proxy"

    next

end

 

Since the FortiGate is not aware of the MFA taking place, the global remoteauthtimeout must be extended.

 

config system global

    set remoteauthtimeout 60

end

 

The 'remoteauthtimeout' setting also determines how long the FortiGate waits before sending authentication to the secondary RADIUS server if the primary server is down. More details on Technical Tip: Explaining global 'set remoteauthtimeout', user radius 'set timeout', and how they wo....

 

FortiGate VPN tunnel and firewall policy settings are the same as in the FortiToken MFA use case.


Limitation:
If using third-party MFA, the user must use an out-of-band MFA method such as DUO push. Third-party MFA servers do not support the customized EAP messages FortiOS uses to trigger an inline OTP prompt on FortiClient.

 

Related articles:

Technical Tip: FortiOS IKEv2 Dialup VPN User and Multi-factor authentication resources

Technical Tip: FortiOS IKEv2 EAP user authentication operation
978
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.