Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aahmadbasri
Staff
Staff

Created on ‎08-19-2025 11:37 PM Edited on ‎11-07-2025 05:05 PM By Staff & Editor

Article Id 407272

Technical Tip: Multi-Factor Authentication support for Windows FortiClient with LDAP (EAP-TTLS)

Description

 

This article describes the support of Multi-Factor Authentication on Windows FortiClient with LDAP (EAP-TTLS) on IKEv2 IPSec dial-up connection.

 

Scope

 

FortiGate, FortiClient v7.4.3 and v7.4.4.

 

Solution

 

EAP methods:

 

FortiGate IKEv2 dialup user authentication is done using EAP methods. FortiClient supports two principal EAP methods:

For authenticating users stored on LDAP servers, FortiClient must use EAP-TTLS. This restriction holds whether FortiGate authenticates the user against an LDAP server directly, or indirectly against an external RADIUS proxy.

 

EAP-TTLS is configured using the 'EAP Authentication Method' GUI option in FortiClient EMS v7.4.4 and later. For the free version of FortiClient (FortiClient VPN), EAP-TTLS can only be enabled by modifying and restoring the XML configuration file, see Technical Tip: How to enable EAP-TTLS for IPSec IKEv2 tunnels in VPN-only (unlicensed) FortiClient.

 

If FortiAuthenticator is used as a RADIUS proxy, the EAP-TTLS authentication passes through FortiGate to terminate on the FortiAuthenticator, see Technical Tip: FortiOS IKEv2 EAP user authentication operation. When no external RADIUS server is configured, the EAP-TTLS authentication terminates on the FortiGate.

 

When FortiAuthenticator terminates EAP-TTLS, the CA certificate signing FortiAuthenticator's EAP service certificate must be present in the client device's system store (user certificate store is not sufficient). If the CA certificate is not present on the client, an error like the following is visible in a FortiAuthenticator's debug log:

 

FortiAuthenticator radiusd[2154]: (8) eap_ttls: (TLS) The client is informing us that it does not recognize the CA used to issue the server certificate. Please update the client so that it knows about the CA.

 

 

Multi-factor Authentication for LDAP users:

 

Token prompt is supported for EAP-TTLS users on FortiClient Windows v7.4.4 (FortiClient EMS license required) and FortiOS starting from v7.4.9 and v7.6.1.

Note: At the time of this writing (October 2025), there is no v7.4.4 for FortiClient VPN, which means the free version of FortiClient does not support FortiToken MFA for LDAP users with IKEv2 Dialup IPsec tunnels: FortiClient 7.4.4 Special notices.

 

FortiAuthenticator does not support token prompt when EAP-TTLS is used, however appending the token code to the user's password can be used as a workaround, see Technical Tip: How to resolve the 'EAP authentication failed due to missing token' error when using ....

 

Token prompt works for LDAP users assigned a token on FortiGate, but is under investigation for tokens assigned on remote servers such as 'Duo Proxy LDAP application', 'FortiIdentity Cloud' under known issues #1218530 and #1213238.

 

Related Article:

Technical Tip: How to configure IPsec VPN Tunnel using IKE v2

2723
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.