Description
This article describes the support of Multi-Factor Authentication on Windows FortiClient with LDAP (EAP-TTLS) on IKEv2 IPSec dial-up connection.
Scope
FortiGate, FortiClient v7.4.3 and v7.4.4.
Solution
Configuring IPsec IKEv2 on FortiGate can be done by referring to Technical Tip: How to configure IPsec VPN Tunnel using IKE v2.
For LDAP, EAP-TTLS is the protocol required. EAP-TTLS is now supported on FortiClient v7.4.3: FortiClient 7.4.3 New Feature (EAP-TTLS support for IPsec VPN).
Note: For the free version of FortiClient (FortiClient VPN), EAP-TTLS can only be enabled by modifying the XML configuration file and restoring it: Technical Tip: How to enable EAP-TTLS for IPSec IKEv2 tunnels in VPN-only (unlicensed) FortiClient.
EAP-TTLS provides flexibility by allowing integration with directory services like LDAP without requiring client-side certificates. Only the server certificate is needed, simplifying certificate management while still maintaining a strong level of security. With LDAP and EAP-TTLS authentication, FortiToken (MFA) is supported on FortiClient v7.4.4 (FortiClient EMS license required), and FortiOS starting from v7.4.9 and v7.6.1.
Note: At the time of this writing (October 2025), there is no v7.4.4 for FortiClient VPN, which means the free version of FortiClient does not support IKEv2 Dialup IPsec tunnels with LDAP and FortiToken MFA: FortiClient 7.4.4 Special notices.
Using a FortiAuthenticator, FortiTokens may be used as a second factor with earlier versions of FortiClient and FortiGate as well. In particular:
- FortiAuthenticator acts as a RADIUS server to FortiGate, and is set up to verify user credentials against LDAP in the background
- FortiClient is set up to use EAP-TTLS to send user credentials; this is necessary for FortiAuthenticator to receive the credentials in cleartext and verify against the LDAP server.
The token code may be entered in the password field together with the password, like 'password123456'. More information on this may be found here: Technical Tip: How to resolve the 'EAP authentication failed due to missing token' error when using ...
The following debug can be run to check on this issue:
diagnose debug reset
diagnose debug console timestamp enable
diagnose vpn ike log filter rem-addr4 <remote address>
diagnose vpn ike log filter loc-addr4 <local address>
diagnose debug application ftm-push -1
diagnose debug application ike -1
diagnose debug application fnbamd -1
diagnose debug application eap_proxy -1
diagnose debug enable
The output of the debug commands above will be shown below:
2025-08-06 15:34:12 [582] __group_match-Add matched group 'FTKUserGroup'(6)
2025-08-06 15:34:12 [2563] fnbamd_ldap_result-Passed group matching
2025-08-06 15:34:12 [913] update_auth_token_session-Token is needed
2025-08-06 15:34:12 [923] update_auth_token_session-Token push is skipped, waiting for an auth_token request instead
2025-08-06 15:34:12 1754465652.744804: 2025-08-06 15:34:12 EAP-TTLS/PAP: Correct user password
2025-08-06 15:34:12 [631] fnbam_user_auth_group_match-req id: 8968076009504, server: EAP_PROXY, local auth: 0, dn match: 0
2025-08-06 15:34:12 [579] __group_match-Group 'FTKUserGroup' passed group matching
2025-08-06 15:34:12 [582] __group_match-Add matched group 'FTKUserGroup'(6)
2025-08-06 15:34:12.871897 ike V=root:0:RA_ike2:152 EAP 8968076009504 result FNBAM_SUCCESS
2025-08-06 15:34:12.872918 ike V=root:0:RA_ike2: EAP succeeded for user "ldapuser1" group "FTKUserGroup" 2FA=no --> 2FA=no
On the client side, the user can log in without a token prompt. Local and remote users with MFA can be used without issue for both Linux and Windows FortiClient.
Note: Push notification works properly with local LDAP servers, but is under investigation for remote LDAP servers (such as 'Duo Proxy LDAP application', 'FortiIdentity', etc.) under known issues #1218530 and #1213238.
