FortiGate triggering MFA prompts for IKEv2 Dialup Gateway clients relies on proprietary EAP extensions. It is only supported when FortiClient is used. Exact firmware and software requirements depend on the authentication method.

SAML:

There are no significant FortiToken-specific considerations when integrating SAML with FortiGate IKEv2 IPsec dialup gateways. Support depends on whether the devices involved support SAML authentication with IKEv2 IPsec.

Minimum versions to use SAML authentication with IPsec:

• FortiGate v7.2.0.
• FortiAuthenticator v6.4.0.
• FortiClient Windows/Linux/MacOS v7.2.4.
• FortiClient iOS v7.4.

External browser support differs; see Technical Tip: FortiGate IPSec Dial-up IKEv2 SAML-based authentication with FortiAuthenticator as Id....

EAP-MSCHAPv2:

FortiClient manual code entry minimum versions:

• FortiOS v6.2.4.
• FortiClient Windows/Linux/MacOS v6.2.1.
• FortiAuthenticator v6.4.1.

FortiToken Mobile push minimum versions (manual code entry fails):

• FortiOS v7.2.8, v7.4.4, v7.6.0.
• FortiAuthenticator v6.5.6, v6.6.1, v8.0.0.
• FortiClient Windows v7.2.4.
• FortiClient Linux/MacOS v7.2.5.

In the firmware versions above, when FortiToken mobile push is configured, manual code entry fails. This is a known issue patched in the following versions.

FortiToken Mobile push (manual code entry allowed):

• FortiOS v7.4.8, v7.6.5.
• FortiAuthenticator v6.6.4, v8.0.0.

Note:

FortiIdentity Cloud push and FortiToken mobile push for IPsec tunnels hosted in a non-root VDOM have a known issue (ID# 1153984) that causes the push to fail, resolved in FortiOS v7.4.9 and v7.6.1.

EAP-TTLS:

Minimum Required Version:

• FortiOS v7.4.9, v7.6.1.
• no FortiAuthenticator support.
• FortiClient Windows v7.4.4.
• FortiClient MacOS v7.2.7, v7.4.3.
• FortiClient Linux v7.4.1.

EAP-TTLS 2FA support is limited to use cases where FortiToken Mobile or FortiIdentity Cloud two-factor authentication is assigned to locally configured users on FortiGate. These users may be configured to authenticate using a local credential or using remote LDAP or RADIUS servers.

FortiAuthenticator does not support MFA for FortiClient using EAP-TTLS. However, appending the OTP code to the password can be used as a workaround, see Technical Tip: How to resolve the 'EAP authentication failed due to missing token' error when using ....

Third-party MFA:

Fortinet uses a proprietary EAP extension to trigger the token code prompt for connecting FortiClients. Manual OTP code entry or FortiToken mobile push for other VPN clients is not supported.

When integrating third-party MFA solutions using FortiAuthenticator as a RADIUS proxy, EAP-MSCHAPv2 is recommended. The minimum required firmware versions are the same as for the EAP-MSCHAPv2 manual code prompt.

• FortiOS v6.2.4.
• FortiClient v6.2.1.
• FortiAuthenticator v6.4.1.

If not using FortiGate or FortiAuthenticator to trigger MFA, the FortiClient OTP code prompt is not supported.

Third-party MFA solutions that do not rely on a token code prompt, such as Duo push or Microsoft Entra multifactor authentication, may function normally depending on the relevant authentication timeouts configured on FortiGate.

config system global

set remoteauthtimeout <seconds>

end

config user radius

edit <server name>

set timeout <seconds>

next

end

FortiOS does not support extending the remote LDAP server timeout for IKEv2 EAP authentication.

Related article:

Technical Tip: Multi-Factor Authentication support for Windows FortiClient with LDAP (EAP-TTLS)