Description
This article describes the support of Multi-Factor Authentication on Windows FortiClient with LDAP (EAP-TTLS) on IKEv2 IPsec dial-up connection.
Scope
FortiGate v7.4.9 and later, FortiClient Windows v7.4.4.
Solution
Required Firmware Versions:
EAP-TTLS MFA support requires the following minimum firmware versions:
- FortiOS v7.4.9, v7.6.1.
- FortiClient Windows v7.4.4. Note the VPN-only free version of FortiClient Windows does not have a v7.4.4 release, see: Special notices
EAP-TTLS is configured using the 'EAP Authentication Method' GUI option in FortiClient EMS v7.4.4 and later. While FortiClient Windows v7.4.3 does support EAP-TTLS using XML configuration, it does not support combining EAP-TTLS with MFA.
EAP methods:
FortiGate IKEv2 dial-up user authentication is done using EAP methods and FortiClient. Active Directory users authenticating to FortiOS IKEv2 Dialup VPN use one of the following options:
When no external RADIUS server is configured, the EAP-TTLS authentication terminates on the FortiGate. If FortiAuthenticator is used as a RADIUS proxy, the EAP-TTLS authentication passes through FortiGate to terminate on the FortiAuthenticator, see Technical Tip: FortiOS IKEv2 EAP user authentication operation.
When FortiAuthenticator terminates EAP-TTLS, the CA certificate signing FortiAuthenticator's EAP service certificate must be present in the client device's system store (the user certificate store is not sufficient). If the CA certificate is not present on the client, an error like the following is visible in a FortiAuthenticator's debug log:
FortiAuthenticator radiusd[2154]: (8) eap_ttls: (TLS) The client is informing us that it does not recognize the CA used to issue the server certificate. Please update the client so that it knows about the CA.
FortiToken assigned to FortiGate:
FortiToken Mobile OTP code prompt and push are supported for individual FortiGate users with 'Remote LDAP' User Type and assigned FortiToken, see Users
FortiToken assigned on FortiAuthenticator:
FortiAuthenticator does not support token prompt when FortiClient is using EAP-TTLS. However, appending the token code to the user's password can be used as a workaround, see Technical Tip: How to resolve the 'EAP authentication failed due to missing token' error when using ...
If FortiTokens are assigned to Active Directory users in FortiAuthenticator, it is recommended to enable EAP-MSCHAPv2 on FortiClient and enable 'Windows Active Directory Domain Authentication' on FortiAuthenticator. See: Remote authentication servers.
FortiToken assigned on FortiIdentity Cloud:
At the time of this writing (December 2025), FortiOS does not support FortiIdentity Cloud MFA for LDAP users authenticating as part of a firewall user group. For an example of this user type, see FortiOS v7.0 New Features Guide. This is tracked as issue ID# 1213238.
As a workaround, define the users individually on FortiGate with a matching remote LDAP server and two-factor 'fortitoken-cloud'
config user local
edit <username>
set type ldap
set two-factor fortitoken-cloud
set ldap-server <LDAP server>
next
end
Third-party MFA:
Third-party MFA support depends on the remote server type. FortiGate can support MFA by remote RADIUS authentication servers if the 'config user radius' timeout allows enough time to perform MFA and no token prompt is required on the FortiClient.
config system global
set remoteauthtimeout <seconds>
end
config user radius
edit <server name>
set timeout <seconds>
next
end
At the time of this writing (December 2025), FortiOS does not support extending the IKEv2 authentication timeout for remote LDAP servers performing MFA.
Related Article:
Technical Tip: How to configure IPsec VPN Tunnel using IKE v2
