Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aahmadbasri
Staff
Staff

Created on ‎08-19-2025 11:37 PM Edited on ‎08-27-2025 10:40 AM By Moderator

Article Id 407272

Technical Tip: Multi-Factor Authentication support for Windows FortiClient with LDAP (EAP-TTLS)

Description

 

This article describes the support of Multi Factor Authentication on Windows FortiClient with LDAP (EAP-TTLS) on IKEv2 IPSec dial-up connection.

 

Scope

 

FortiGate, FortiClient v7.4.3.

 

Solution

 

Configuring IPsec IKEv2 on FortiGate can be done by referring to this KB article: Technical Tip: How to configure IPsec VPN Tunnel using IKE v2 

 

For LDAP, EAP-TTLS is the protocol required. This is now supported on FortiClient v7.4.3: FortiClient 7.4.3 New Feature (EAP-TTLS support for IPsec VPN)

 

The free FortiClient version does not have any support for EAP-TTLS. FortiClient EMS is required for EAP-TTLS support to be enabled, see
LDAP-based user authentication | FortiGate / FortiOS 7.6.0 | Fortinet Document Library.

 

EAP-TTLS provides flexibility by allowing integration with directory services like LDAP without requiring client-side certificates. Only the server certificate is needed, simplifying certificate management while still maintaining a strong level of security. However, as of now, the FortiToken (MFA) is not supported on Windows FortiClient with LDAP (EAP-TTLS).

 

The following debug can be run to check on this issue:- 

 

diagnose debug reset

diagnose debug console timestamp  enable

diagnose vpn  ike log  filter  rem-addr4 <remote address> 

diagnose vpn ike log filter loc-addr4 <local address> 

diagnose debug application  ike -1

diagnose debug application  fnbamd  -1

diagnose debug application  eap_proxy -1

diagnose debug enable

 

The output of the debug commands above will be shown below:

 

2025-08-06 15:34:12 [582] __group_match-Add matched group 'FTKUserGroup'(6)

2025-08-06 15:34:12 [2563] fnbamd_ldap_result-Passed group matching

2025-08-06 15:34:12 [913] update_auth_token_session-Token is needed

2025-08-06 15:34:12 [923] update_auth_token_session-Token push is skipped, waiting for an auth_token request instead

2025-08-06 15:34:12 1754465652.744804: 2025-08-06 15:34:12 EAP-TTLS/PAP: Correct user password

2025-08-06 15:34:12 [631] fnbam_user_auth_group_match-req id: 8968076009504, server: EAP_PROXY, local auth: 0, dn match: 0

2025-08-06 15:34:12 [579] __group_match-Group 'FTKUserGroup' passed group matching

2025-08-06 15:34:12 [582] __group_match-Add matched group 'FTKUserGroup'(6)

2025-08-06 15:34:12.871897 ike V=root:0:RA_ike2:152 EAP 8968076009504 result FNBAM_SUCCESS

2025-08-06 15:34:12.872918 ike V=root:0:RA_ike2: EAP succeeded for user "ldapuser1" group "FTKUserGroup" 2FA=no    --> 2FA=no 

 

On the client side, the user can login without a token prompt. The local user with MFA can be used without issue for both Linux and Windows FortiClient.

351
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.