|
FortiClient added support for EAP-TTLS in IPSec VPN starting in firmware v7.4.3.
This authentication method must be used if users are to be able to authenticate to a remote LDAP server while connecting to an IPSec IKEv2 tunnel.
Using a FortiToken with EAP-TTLS is supported starting in v7.4.4. The free 7.4.3 FortiClient will be unable to connect if tokens are enabled: Technical Tip: Multi-Factor Authentication support for Windows FortiClient with LDAP (EAP-TTLS).
FortiClient documentation outlines how to enable EAP-TTLS support for EMS-managed FortiClients here: FortiClient: EAP-TTLS support for IPsec VPN.
To enable EAP-TTLS on unlicensed FortiClients, the configuration file must be edited manually. This requires some familiarity with XML.
To start with, an IPSec IKEv2 tunnel should be configured on FortiClient to match a dial-up configuration on FortiGate.
A guide on how to configure IPSec IKEv2 dial-up tunnels may be found here, for example:
Technical Tip: FortiGate IPSec Dial-up IKEv2 SAML-based authentication with FortiAuthenticator as Id...
Technical Tip: IKEv2 dialup IPsec tunnel with RADIUS server authentication and FortiClient
Once a VPN tunnel is configured on FortiClient, it can be edited to enable EAP-TTLS support.
- Export a FortiClient configuration backup.
-
Edit the resulting *.conf file in an Editor like Wordpad, Notepad++, or similar.
-
Find the section:
<vpn>
<ipsecvpn>
<connections>
<connection>
There should be a connection listed with the name of the configured IPSec tunnel within this connection, find the <ike_setting> part.
-
In <ike_settings>, add the following line:
<eap_method>2</eap_method>
Using 1: requires EAP-MSCHAPv2 authentication.
Using 2: requires EAP-TTLS/PAP authentication.
- Save the modified configuration as a separate file.
- Import the modified configuration into FortiClient. This may require the FortiClient to be unlocked.
Important note: At the time of writing, FortiClient iOS and Android do not support EAP-TTLS/PAP authentication.
|
