With IKEv2, Extended authentication (XAUTH) is not available. EAP (Extensible Authentication Protocol) needs to be enabled for a similar functionality of XAUTH for IKEv2 dial-up tunnels. EAP uses many schemes for authentication i.e. CHAP, MSCHAP, MSCHAP2. The RADIUS server can easily support these schemes.

However, there is no standard for EAP and LDAP, and most LDAP servers do not support EAP. If a FortiGate uses LDAP for user authentication, neither CHAP, MSHAP, nor MSCHAP2 can be used.

The reason is that during CHAP, MSCHAP, and MSCHAPv2 authentication, a client sends a one-way hash of the password.

However, LDAP servers expect passwords in clear text.

The FortiGate, which is acting as the LDAP client, does not have the user passwords, nor can it convert a hashed password to a clear-text password.

So when FortiGate attempts to send out the EAP request, it will first list the available RADIUS servers for that group.

If no Radius servers are found, then it will try itself (127.0.0.1).

The same can be seen on eap_proxy and fnbamd debugs below.

Debugs:

diagnose debug reset

diagnose debug console timestamp enable
diagnose vpn ike log filter rem-addr4 x.x.x.x <----- Public IP of the endpoint.

diagnose debug application ike -1

diagnose debug application fnbamd -1
diagnose debug application eap_proxy -1

diagnose debug enable

Note: To stop the debugging, run the following commands:

ike 0: comes 10.15.1.62:500->10.15.3.4:500,ifindex=11,vrf=0....

ike 0:VPN_IKEv2:3: responder preparing EAP identity request

ike 0:VPN_IKEv2:3: responder received EAP msg

ike 0:VPN_IKEv2:3: send EAP message to FNBAM

ike 0:VPN_IKEv2:3: initiating EAP authentication   <----- Initiating EAP authentication.

ike 0:VPN_IKEv2: EAP user "testuser"

ike 0:VPN_IKEv2: auth group vpngroup

ike 0:VPN_IKEv2: EAP 197822582 pending

[1909] handle_req-Rcvd auth req 197822582 for testuser in vpngroup opt=00000000 prot=8

[466]__compose_group_list_from_req-Group 'vpngroup',type 1

[617] fnbamd_pop3_start-testuser

[644] fnbamd_cfg_get_radius_list-Loading RADIUS server 'eap_proxy'

[343] fnbamd_create_radius_socket-Opened radius socket 14

[343] fnbamd_create_radius_socket-Opened radius socket 15

[1391] fnbamd_radius_auth_send-Compose RADIUS request

fnbamd_dbg_hex_pnt[48] EAP msg from client (13)-02 03 00 0D 01 74 65 73 74 75 73 65 72

[1351] fnbamd_rad_dns_cb-127.0.0.1->127.0.0.1 <--- FortiGate preparing RADIUS request to itself at 127.0.0.1.

[1329] __fnbamd_rad_send-Sent radius req to server 'eap_proxy': fd=14, IP=127.0.0.1(127.0.0.1:1812) code=1 id=6 len=153 user="testuser" using EAP

RADIUS SRV: Received 153 bytes from 127.0.0.1:5894

[320] radius_server_auth-Timer of rad 'eap_proxy' is added

<More>

RADIUS SRV: Creating a new session

RADIUS SRV: User-Name - hexdump_ascii(len=8):

[1650] fnbamd_ldap_init-Invalid params

     74 65 73 74 75 73 65 72                           testuser

RADIUS SRV: Matching user entry found

RADIUS SRV: NAS-ID - hexdump_ascii(len=9):

     46 47 31 30 30 45 2d 30 31                        FG100E-01

RADIUS SRV: CALLING-STATION-ID - hexdump_ascii(len=10):

     31 30 2e 31 35 2e 31 2e 36 32                     10.15.1.62

RADIUS SRV: SVC_TYPE - hexdump_ascii(len=9):

     76 70 6e 2d 69 6b 65 76 32                        vpn-ikev2

EAP: Server state machine created

RADIUS SRV: New session 0x2 initialized

RADIUS SRV: Received EAP data - hexdump(len=13):

 02 03 00 0d 01 74 65 73 74 75 73 65 72

EAP: EAP entering state INITIALIZE

EAP: parseEapResp: rxResp=1 respId=3 respMethod=1 respVendor=0 respVendorMethod=0

CTRL-EVENT-EAP-STARTED 00:00:00:00:00:00

EAP: EAP entering state PICK_UP_METHOD

CTRL-EVENT-EAP-PROPOSED-METHOD method=1

EAP: EAP entering state METHOD_RESPONSE

EAP-Identity: Peer identity - hexdump_ascii(len=8):

     74 65 73 74 75 73 65 72                           testuser

EAP: EAP entering state SELECT_ACTION

EAP: getDecision: another method available -> CONTINUE

EAP: EAP entering state PROPOSE_METHOD

EAP: getNextMethod: vendor 0 type 26

CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=26

EAP: EAP entering state METHOD_REQUEST

EAP: building EAP-Request: Identifier 4

EAP-MSCHAPV2: Challenge - hexdump(len=16):

 e6 ef 53 9f 90 2f f3 e0 a0 c0 21 2d 98 bf fb 61

EAP: EAP entering state SEND_REQUEST

EAP: EAP entering state IDLE

EAP: retransmit timeout 3 seconds (from dynamic back off; retransCount=0)

RADIUS SRV: EAP data from the state machine - hexdump(len=33):

 01 04 00 21 1a 01 04 00 1c 10 e6 ef 53 9f 90 2f f3 e0 a0 c0 21 2d 98 bf fb 61 68 6f 73 74 61 70

RADIUS SRV: Reply to 127.0.0.1:5894

[1356] fnbamd_auth_handle_radius_result-Timer of rad 'eap_proxy' is deleted

[1799] fnbamd_radius_auth_validate_pkt-RADIUS resp code 11

fnbamd_dbg_hex_pnt[48] EAP msg from server (33)-01 04 00 21 1A 01 04 00 1C 10 E6 EF 53 9F 90 2F F3 E0 A0 C0 21 2D 98 BF FB 61 68 6F 73 74 61 70 64

[1382] fnbamd_auth_handle_radius_result --> Result for radius svr 'eap_proxy' 127.0.0.1(1) is 2  <--- Radius Challenge.

[217] fnbamd_comm_send_result-Sending result 2 (nid 0) for req 197822582, len=3085

[1781] fnbamd_ldap_pause-

ike 0:VPN_IKEv2:3 EAP 197822582 result 2

ike 0:VPN_IKEv2: EAP challenged for user "testuser"                   <--- EAP challenge for user.

ike 0:VPN_IKEv2:3: responder preparing EAP pass through message

[1278] freeze_auth_session-

EAP: EAP entering state RECEIVED

EAP: parseEapResp: rxResp=1 respId=4 respMethod=26 respVendor=0 respVendorMethod=0

EAP: EAP entering state INTEGRITY_CHECK

EAP: EAP entering state METHOD_RESPONSE

EAP-MSCHAPV2: Peer-Challenge - hexdump(len=16):

 33 5c db 48 b0 71 51 8f ca a6 5a 03 ed 74 6e aa

EAP-MSCHAPV2: Name - hexdump_ascii(len=8):

     74 65 73 74 75 73 65 72                           testuser

EAP-MSCHAPV2: User name - hexdump_ascii(len=8):

     74 65 73 74 75 73 65 72                           testuser

EAP: EAP entering state WAIT_FNBAM_AUTH

[1909] handle_req-Rcvd auth req 197822583 for testuser in vpngroup opt=00000000 prot=4

[466] __compose_group_list_from_req-Group 'vpngroup', type 1

[617] fnbamd_pop3_start-testuser

[380] radius_start-Didn't find radius servers (0)

[750] auth_tac_plus_start-Didn't find tac_plus servers (0)

[1015] __fnbamd_cfg_get_ldap_list_by_group-

[1083] __fnbamd_cfg_get_ldap_list_by_group-Loaded LDAP server 'ldap' for usergroup 'vpngroup' (2)

[1131] fnbamd_cfg_get_ldap_list-Total ldap servers to try: 1

[1713] fnbamd_ldap_init-search filter is: SAMAccountName=testuser

[1722] fnbamd_ldap_init-search base is: dc=fortinet,dc=net

[1146] __fnbamd_ldap_dns_cb-Resolved ldap:10.12.12.1 to 10.12.12.1, cur stack size:1

[919] __fnbamd_ldap_get_next_addr-

[1152] __fnbamd_ldap_dns_cb-Connection starts ldap:10.12.12.1, addr 10.12.12.1      <--- Connection to LDAP is established since VPN configuration has LDAP user-group 'vpngroup'.

[755] __ldap_destroy-

[1764] fnbamd_ldap_auth_ctx_free-Freeing 'ldap' ctx

EAP-MSCHAPV2: Invalid NT-Response

EAP: EAP entering state METHOD_REQUEST

EAP: building EAP-Request: Identifier 5

EAP-MSCHAPV2: Failure Request Message - hexdump_ascii(len=57):

     45 3d 36 39 31 20 52 3d 30 20 43 3d 30 30 30 30   E=691 R=0 C=0000

     30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000

     30 30 30 30 30 30 30 30 30 30 30 30 20 56 3d 33   000000000000 V=3

     20 4d 3d 46 41 49 4c 45 44                         M=FAILED

EAP: EAP entering state SEND_REQUEST

EAP: EAP entering state IDLE

EAP: retransmit timeout 3 seconds (from dynamic back off; retransCount=0)

ike 0:VPN_IKEv2:3: waiting for RADIUS response

[48] handle_rad_timeout-rad 'eap_proxy' 127.0.0.1 timed out, resend request.

[1329] __fnbamd_rad_send-Sent radius req to server 'eap_proxy': fd=14, IP=127.0.0.1(127.0.0.1:1812) code=1 id=7 len=213 user="testuser" using EAP

RADIUS SRV: Received 213 bytes from 127.0.0.1:5348

RADIUS SRV: Received data - hexdump(len=213):

 01 07 00 d5 d8 e6 ef 3d c7 0e 24 5b 66 89 f1 4b 66 0d 13 a0 20 0b 46 47 31 30 30 45 2d 30 31 18

 06 00 00 00 02 01 0a 74 65 73 74 75 73 65 72 4f 45 02 04 00 43 1a 02 04 00 3e 31 33 5c db 48 b0

 71 51 8f ca a6 5a 03 ed 74 6e aa 00 00 00 00 00 00 00 00 e9 47 61 d9 f5 43 b7 10 00 82 0b 8e 73

 68 ad 24 d5 e7 33 a9 16 b8 b2 a3 00 74 65 73 74 75 73 65 72 08 06 0a 0f 01 3e 05 06 00 00 00 01

 3d 06 00 00 00 05 1f 0c 31 30 2e 31 35 2e 31 2e 36 32 2c 0a 30 62 63 61 38 38 37 36 4d 0b 76 70

 6e 2d 69 6b 65 76 32 1a 0c 00 00 30 44 03 06 72 6f 6f 74 1a 10 00 00 30 44 01 0a 76 70 6e 67 72

 6f 75 70 50 12 9c c7 70 16 99 bc 95 e3 f4 9b e1 2a b9 a6 88 2f

EAP: EAP entering state RECEIVED

EAP: parseEapResp: rxResp=1 respId=4 respMethod=26 respVendor=0 respVendorMethod=0

EAP: RECEIVED->DISCARD: rxResp=1 respId=4 currentId=5 respMethod=26 currentMethod=26

EAP: EAP entering state DISCARD

EAP: EAP entering state IDLE

EAP: retransmit timeout 3 seconds (from dynamic back off; retransCount=0)

RADIUS SRV: EAP data from the state machine - hexdump(len=66):

RADIUS SRV: Reply to 127.0.0.1:5348

[1356] fnbamd_auth_handle_radius_result-Timer of rad 'eap_proxy' is deleted

[1799] fnbamd_radius_auth_validate_pkt-RADIUS resp code 11

fnbamd_dbg_hex_pnt[48] EAP msg from server (66)-01 05 00 42 1A 04 04 00 3D 45 3D 36 39 31 20 52 3D 30 20 43 3D 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 20 56 3D 33 20 4D 3D 46 41 49 4C 45 44

[1382] fnbamd_auth_handle_radius_result-->Result for radius svr 'eap_proxy' 127.0.0.1(1) is 2

[217] fnbamd_comm_send_result-Sending result 2 (nid 0) for req 197822582, len=3118

ike 0:VPN_IKEv2:3 EAP 197822582 result 2

[1278] freeze_auth_session-

ike 0:VPN_IKEv2: EAP challenged for user "testuser"

ike 0:VPN_IKEv2:3: responder preparing EAP pass through message

ike 0:VPN_IKEv2:3: responder received EAP msg

ike 0:VPN_IKEv2:3: send EAP message to FNBAM

ike 0:VPN_IKEv2: EAP 197822582 pending

[2298] handle_req-Rcvd chal rsp for req 197822582

[343] fnbamd_create_radius_socket-Opened radius socket 14

[343] fnbamd_create_radius_socket-Opened radius socket 15

[1391] fnbamd_radius_auth_send-Compose RADIUS request

fnbamd_dbg_hex_pnt[48] EAP msg from client (6)-02 05 00 06 1A 04

RADIUS SRV: Received 152 bytes from 127.0.0.1:12111

[1211] send_radius_challenge_rsp-Timer of rad 'eap_proxy' is added

 01 08 00 98 84 68 f2 08 e8 96 c9 3e 17 ee 09 08 8f 53 7c 5e 20 0b 46 47 31 30 30 45 2d 30 31 18

 06 00 00 00 02 01 0a 74 65 73 74 75 73 65 72 4f 08 02 05 00 06 1a 04 08 06 0a 0f 01 3e 05 06 00

 00 00 01 3d 06 00 00 00 05 1f 0c 31 30 2e 31 35 2e 31 2e 36 32 2c 0a 30 62 63 61 38 38 37 36 4d

 0b 76 70 6e 2d 69 6b 65 76 32 1a 0c 00 00 30 44 03 06 72 6f 6f 74 1a 10 00 00 30 44 01 0a 76 70

 6e 67 72 6f 75 70 50 12 9a d0 11 17 87 a0 17 e8 93 17 a3 a1 f8 61 28 a3

EAP: EAP entering state RECEIVED

EAP: parseEapResp: rxResp=1 respId=5 respMethod=26 respVendor=0 respVendorMethod=0

EAP: EAP entering state INTEGRITY_CHECK

EAP: EAP entering state METHOD_RESPONSE

EAP-MSCHAPV2: Received Failure Response - authentication failed       <--- EAP-MSCHAPV2 authentication failed.

EAP: EAP entering state SELECT_ACTION

EAP: getDecision: method failed -> FAILURE

EAP: EAP entering state FAILURE

EAP: Building EAP-Failure (id=5)

CTRL-EVENT-EAP-FAILURE 00:00:00:00:00:00

RADIUS SRV: EAP data from the state machine - hexdump(len=4):

 04 05 00 04

RADIUS SRV: Reply to 127.0.0.1:12111

RADIUS SRV: Removing completed session 0x2 after timeout

[1356] fnbamd_auth_handle_radius_result-Timer of rad 'eap_proxy' is deleted

[1799] fnbamd_radius_auth_validate_pkt-RADIUS resp code 3

fnbamd_dbg_hex_pnt[48] EAP msg from server (4)-04 05 00 04

[1382] fnbamd_auth_handle_radius_result-->Result for radius svr 'eap_proxy' 127.0.0.1(1) is 1

[217] fnbamd_comm_send_result-Sending result 1 (nid 0) for req 197822582, len=3056

[789] destroy_auth_session-delete session 197822582

ike 0:VPN_IKEv2:3 EAP 197822582 result 1

ike 0:VPN_IKEv2: EAP failed for user "testuser"     <-- EAP authentication for IKEv2 failed.

ike 0:VPN_IKEv2:3: responder preparing EAP pass through message

ike 0:VPN_IKEv2: connection expiring due to EAP failure              <-- IKEv2 failed due to EAP. authentication failure

ike 0:VPN_IKEv2: deleting

ike 0:VPN_IKEv2: deleted

The method used by IKEv2 is EAP, and the LDAP server, without a TLS tunnel or support for the EAP challenge/response method, cannot be validated because it does not receive a 'key' in the expected format; it only receives a hash that cannot be compared to its base.

When performing an authentication test from the FortiGate, the authentication is successful; this is because the diagnose test authserver ldap <user> <password> sends the full username and password to the LDAP server using the simple bind method.

When the IKEv2 VPN connection is established with EAP, the FortiGate does not receive the password in clear text from the FortiClient. With EAP-MSCHAPv2 or EAP-TTLS, the FortiClient sends the information encrypted according to the EAP protocol.

It is not mandatory to use IKEv1 for the FortiGate to authenticate against LDAP in a remote IPsec VPN; It can use LDAP with EAP (IKEv2), but FortiGate does not support direct authmethod in IKEv2 for LDAP. LDAP authentication is done within EAP, using EAP-TTLS as a container.

LDAP-based user authentication only works with XAUTH and only supports IPsec IKEv1 by design.

If it is required to use IKEv2, there are two options:

1. Migrate to use RADIUS-based user authentication with EAP;
2. Use EAP-TTLS to support LDAP user authentication.

For an explanation of EAP-TTLS, see EAP-TTLS support for IPsec VPN.

Reference article to configure IKEv2 with LDAP using EAP-TTLS.

Technical Tip: IKEv2 dial up VPN with LDAP authentication

To implement EAP-TTLS, there are some requirements.

• FortiClient version 7.4.3 and later;
• FortiClient EMS v7.4;
• IKEv2 tunnel (works with IKEv2 over UDP or TCP).

To enable EAP-TTLS: EAP-TTLS support for IPsec VPN 7.4.3 in the FortiClient, it is necessary to add the <eap_method>2</eap_method> in the XML config of the IPsec tunnel on FortiClient EMS.

To add this in the free version of FortiClient, take a backup of the configuration and then, using a text editor, search for the tunnel name and then add the same <eap_method>2</eap_method> under the tunnel's <ike_settings>in the XML configuration. After that, restore the edited backup configuration on FortiClient. Once the backup is restored, the presence of the setting can be confirmed in the registry under:

\HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiClient\IPSec\Tunnels\[tunnel name]\P1
eap_method (0x00000002)

The debug output for IKE will be similar, but now the FortiGate will act as an EAP Server and will receive the password from the client.

EAP: EAP entering state INITIALIZE
EAP: parseEapResp: rxResp=1 respId=224 respMethod=1 respVendor=0 respVendorMethod=0
CTRL-EVENT-EAP-STARTED 00:00:00:00:00:00
EAP: EAP entering state PICK_UP_METHOD
CTRL-EVENT-EAP-PROPOSED-METHOD method=1
EAP: EAP entering state METHOD_RESPONSE
EAP-Identity: Peer identity - hexdump_ascii(len=7):
        74 6f 62 69 61 73 32         tobias2

EAP: EAP entering state SELECT_ACTION
EAP: getDecision: another method available -> CONTINUE
EAP: EAP entering state PROPOSE_METHOD
EAP: getNextMethod: vendor 0 type 26
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=26
EAP: EAP entering state METHOD_REQUEST
EAP: building EAP-Request: Identifier 225
EAP-MSCHAPV2: Challenge - hexdump(len=16):
         11 0d ca 13 18 07 7b b7 1c 08 e0 ce 78 d7 80 18

EAP: EAP entering state SEND_REQUEST
EAP: EAP entering state IDLE
EAP: retransmit timeout 3 seconds (from dynamic back off; retransCount=0)
RADIUS SRV: EAP data from the state machine - hexdump(len=33):

...

EAP: EAP entering state INITIALIZE
EAP: parseEapResp: rxResp=1 respId=224 respMethod=1 respVendor=0 respVendorMethod=0
CTRL-EVENT-EAP-STARTED 00:00:00:00:00:00
EAP: EAP entering state PICK_UP_METHOD
CTRL-EVENT-EAP-PROPOSED-METHOD method=1
EAP: EAP entering state METHOD_RESPONSE
EAP-Identity: Peer identity - hexdump_ascii(len=7):
         74 6f 62 69 61 73 32         tobias2
EAP: EAP entering state SELECT_ACTION
EAP: getDecision: another method available -> CONTINUE
EAP: EAP entering state PROPOSE_METHOD
EAP: getNextMethod: vendor 0 type 26
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=26
EAP: EAP entering state METHOD_REQUEST
EAP: building EAP-Request: Identifier 225
EAP-MSCHAPV2: Challenge - hexdump(len=16):
        11 0d ca 13 18 07 7b b7 1c 08 e0 ce 78 d7 80 18

EAP: EAP entering state SEND_REQUEST
EAP: EAP entering state IDLE
EAP: retransmit timeout 3 seconds (from dynamic back off; retransCount=0)
RADIUS SRV: EAP data from the state machine - hexdump(len=33):

...

RADIUS SRV: Reply to 127.0.0.1:12684
__rad_rxtx-fd 10, state 2(Challenged)
__rad_rxtx-Stop rad conn timer.
__rad_rxtx-
__rad_udp_recv-Recved 687 bytes. Buf sz 8192
__rad_chk_resp_authenticator-The Message Authenticator validation is optional now
__rad_chk_resp_authenticator-ret=0
fnbamd_rad_validate_pkt-RADIUS resp code 11
__rad_rxtx-
fnbamd_rad_process-Result from radius svr 'EAP_PROXY' is 2, req 8856314929173 <----- RADIUS challenge.
...

fnbamd_comm_send_result-Sending result 2 (nid 0) for req 8856314929173, len=7325
ike V=root:0:FCT-VPN-TEST:14 EAP 8856314929173 result FNBAM_CHALLENGED
ike V=root:0:FCT-VPN-TEST: EAP challenged for user "tobias2"
ike V=root:0:FCT-VPN-TEST:14: responder preparing EAP pass through message

...

EAP: EAP entering state RECEIVED
EAP: parseEapResp: rxResp=1 respId=230 respMethod=21 respVendor=0 respVendorMethod=0
EAP: EAP entering state INTEGRITY_CHECK
EAP: EAP entering state METHOD_RESPONSE
SSL: Received packet(len=99) - Flags 0x00       <----- SSL will be used, meaning EAP-TTLS is used.
SSL: Received packet: Flags 0x0 Message Length 0
SSL: (where=0x2001 ret=0x1)
SSL: SSL_accept:SSLv3/TLS write server done
SSL: (where=0x2001 ret=0x1)
SSL: SSL_accept:SSLv3/TLS read client key exchange
SSL: (where=0x2001 ret=0x1)
SSL: SSL_accept:SSLv3/TLS read change cipher spec
SSL: (where=0x2001 ret=0x1)
SSL: SSL_accept:SSLv3/TLS read finished
SSL: (where=0x2001 ret=0x1)
SSL: SSL_accept:SSLv3/TLS write session ticket
SSL: (where=0x2001 ret=0x1)
SSL: SSL_accept:SSLv3/TLS write change cipher spec
SSL: (where=0x2001 ret=0x1)
SSL: SSL_accept:SSLv3/TLS write finished
SSL: (where=0x20 ret=0x1)
SSL: (where=0x2002 ret=0x1)
SSL: 242 bytes pending from ssl_out
EAP: EAP entering state METHOD_REQUEST
EAP: building EAP-Request: Identifier 231
EAP-TTLS: Phase1 done, starting Phase2
EAP-TTLS: PHASE1 -> PHASE2_START       <----- Phase 1 is done, starting Phase 2.
SSL: Generating Request
SSL: Sending out 242 bytes (message sent completely)
EAP: EAP entering state SEND_REQUEST
EAP: EAP entering state IDLE
EAP: retransmit timeout 3 seconds (from dynamic back off; retransCount=0)
RADIUS SRV: EAP data from the state machine - hexdump(len=248):

...

EAP: EAP entering state RECEIVED
EAP: parseEapResp: rxResp=1 respId=231 respMethod=21 respVendor=0 respVendorMethod=0
EAP: EAP entering state INTEGRITY_CHECK
EAP: EAP entering state METHOD_RESPONSE
SSL: Received packet(len=75) - Flags 0x00
SSL: Received packet: Flags 0x0 Message Length 0
EAP-TTLS: received 69 bytes encrypted data for Phase 2
EAP-TTLS: Decrypted Phase 2 EAP - hexdump(len=40):[REMOVED]
EAP-TTLS: AVP: code=1 flags=0x40 length=15
EAP-TTLS: AVP data - hexdump(len=7):
        74 6f 62 69 61 73 32

EAP-TTLS: User-Name - hexdump_ascii(len=7):
        74 6f 62 69 61 73 32         tobias2
EAP-TTLS: AVP: code=2 flags=0x40 length=24
EAP-TTLS: AVP data - hexdump(len=16):
        66 6f 72 74 69 6e 65 74 00 00 00 00 00 00 00 00

EAP-TTLS: User-Password (PAP) - hexdump_ascii(len=8): [REMOVED]
eap_comm_session_add 782 -- comm session added, ses_id=20

...

handle_req-Rcvd auth req 8946509242382 for tobias2 in opt=00000000 prot=0 svc=9
__compose_group_list_from_req-Group 'ipsec-vpn-LDAP', type 1
fnbamd_saml_auth_cache_lookup-Authneticating 'tobias2'.
create_auth_session-Session created for req id 8946509242382
auth_local-started for tobias2

...

EAP: EAP entering state RECEIVED
EAP: parseEapResp: rxResp=1 respId=231 respMethod=21 respVendor=0 respVendorMethod=0
EAP: EAP entering state INTEGRITY_CHECK
EAP: EAP entering state METHOD_RESPONSE
SSL: Received packet(len=75) - Flags 0x00
SSL: Received packet: Flags 0x0 Message Length 0
EAP-TTLS: received 69 bytes encrypted data for Phase 2
EAP-TTLS: Decrypted Phase 2 EAP - hexdump(len=40): [REMOVED]
EAP-TTLS: AVP: code=1 flags=0x40 length=15
EAP-TTLS: AVP data - hexdump(len=7):
        74 6f 62 69 61 73 32

EAP-TTLS: User-Name - hexdump_ascii(len=7):
        74 6f 62 69 61 73 32         tobias2
EAP-TTLS: AVP: code=2 flags=0x40 length=24
EAP-TTLS: AVP data - hexdump(len=16):
66 6f 72 74 69 6e 65 74 00 00 00 00 00 00 00 00

EAP-TTLS: User-Password (PAP) - hexdump_ascii(len=8): [REMOVED]  <----- PAP is used to exchange password
eap_comm_session_add 782 -- comm session added, ses_id=20

...

ike V=root:0:FCT-VPN-TEST:14 EAP 8856314929173 result FNBAM_SUCCESS
ike V=root:0:FCT-VPN-TEST: EAP succeeded for user "tobias2" group "ipsec-vpn-LDAP" 2FA=no  <----- User authenticated correctly.
ike V=root:0:FCT-VPN-TEST:14: responder preparing EAP pass through message

Related documents:

• Technical Tip: How to configure IPsec VPN Tunnel using IKE v2
• Choosing IKE version 1 and 2 | FortiGate / FortiOS 7.6.3 | Fortinet Document Library
  
• LDAP-based user authentication - FortiGate 7.4.4 documentation
• EAP-TTLS support for IPsec VPN 
• LDAP authentication with IKEv2 using TCP as transport