|
This issue can occur when a few key elements are in place:
- IKEv2 dial-up tunnel.
- Authentication performed through LDAP with EAP-TTLS.
- A FortiToken associated with connecting users.
An example configuration is provided below:
config vpn ipsec phase1-interface
edit "test"
set type dynamic
set interface "wan1"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set eap enable
set eap-identity send-request
set ipv4-start-ip 10.212.50.200
set ipv4-end-ip 10.212.50.250
config firewall policy
edit 314
set name "vpn_test_remote_0"
set srcintf "test"
set dstintf "a"
set action accept
set srcaddr "test_range"
set dstaddr "dst_range"
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
set user test
next
end
config user local
edit "test"
set type ldap
set two-factor fortitoken
set fortitoken "FTKMOB03xxxxx"
set email-to xxx
set username-sensitivity disable
next
To troubleshoot, run the following debug commands and look for any errors indicating 'Token push is skipped , waiting for an auth_token request':
diagnose debug application ike -1
diagnose debug application fnbamd -1
diagnose debug enable
[575] __group_match-Group 'test' passed group matching
[578] __group_match-Add matched group 'test'(17)
[206] find_matched_usr_grps-Passed group matching
[913] update_auth_token_session-Token is needed
[923] update_auth_token_session-Token push is skipped, waiting for an auth_token request instead
[239] fnbamd_comm_send_result-Sending result 7 (nid 0) for req 10630107074583, len=2641
wpad_fnbam_read() -- got response
process_auth_result 807 -- ses_id=10630107074583, currentMethod=21, auth_res=7.
process_auth_result() -- tfa is required, request 10630107074583
process_auth_result 825 -- ftm push required
eap_comm_send_auth_result 282 rsp len:904
ep_auth_session_del 151 -- auth session deleted, ses_id=10630107074583
1752595585.761177: eap_comm_client_read:670, type:0, size:904
To address this problem, EAP-TTLS token support has been added on FortiOS 7.4.9, 7.6.1 on FortiClient 7.4.4 and later versions.
A workaround is to use EAP-MSCHAPV2 instead of EAP-TTLS in the LDAP server, as this will allow the token prompt to be seen on FortiOS/FortiClient versions that do not contain this enhancement for EAP-TTLS.
Note: As per FortiClient v7.4.3 New Features, FortiClient 7.4.3 and above now support EAP-TTLS. The only way to enable EAP-TTLS for the free version of FortiClient (FortiClient VPN) is to change and then restore the XML configuration file. See Technical Tip: How to enable EAP-TTLS for IPsec IKEv2 tunnels in VPN-only (unlicensed) FortiClient.
Note: As of October 2025, FortiClient (Windows) 7.4.4 does not include an updated version of the free VPN-only agent. This is because no feature changes were made to the VPN-only agent between versions 7.4.3 and 7.4.4. Users can continue using the FortiClient 7.4.3 VPN-only agent: FortiClient 7.4.4 Special notices.
|
