Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dwickramasinghe1
Staff
Staff

Created on ‎06-10-2025 09:31 PM Edited on ‎09-08-2025 09:54 PM By Moderator

Article Id 395765

Troubleshooting Tip: EAP-TTLS connection failing with FortiClient and IPsec IKEv2 connection due to certificate error

Description This article describes how to troubleshoot EAP-TTLS authentication with IKEv2 failing due to a possible certificate error.
Scope FortiClient, FortiGate, IPsec, EAP.
Solution

Starting from FortiClient v7.4.3, EAP-TTLS is now supported with IKEv2 authentication: EAP-TTLS support for IPsec VPN 7.4.3..

In earlier versions of FortiClient, EAP-MSCHAPv2 was the method used for username + password authentication and did not work with LDAP. EAP-TTLS now works with LDAP authentication.

 

This article assumes that the initial configuration for IPsec IKEv2 has been completed, but the tunnel is not coming up due to an 'EAP failed for user' error in the IKE debugs on the FortiGate:

ike V=root:0:Phase2:12: responder received EAP msg
ike V=root:0:Phase2:12: send EAP message to FNBAM
ike V=root:0:Phase2: EAP 9646577106950 pending
ike V=root:0:Phase2:12 EAP 9646577106950 result FNBAM_DENIED
ike V=root:0:Phase2: EAP failed for user "vpnuser"

When this issue occurs, it is required to check if the FortiGate Server certificate for the EAP-TTLS connection is being trusted by the FortiClient endpoint. The steps below provide an overview of how this can be completed:

  1. Run IKE debugs on the FortiGate and filter for the public IP of the endpoint:


diagnose vpn ike log filter rem-addr4 x.x.x.x
diagnose debug app ike -1
diagnose debug enable

diagnose debug disable  --> To disable debugs.

 

  1. Start a packet capture on the FortiGate and filter for the public IP of the endpoint under: 

Network -> Diagnostics -> Packet Capture, select 'New Packet Capture', and add the public IP to the 'Host' filter.

PCAP.png

 

  1. Attempt a VPN connection from the endpoint, and check the IKE debugs for the 'EAP Failed for user' error.
  2. Stop the packet capture and take note of the following values from IKE debugs:
  • Initiator.
  • Responder.
  • SK_ei.
  • SK_ai.
  • SK_ar. 

DecryptionValues.png

 

  1. After taking note of the values above, refer to the document below to decrypt the ISAKMP packets through Wireshark: Technical Tip: How to decrypt IPSec Phase-2 (ISAKMP) packets IKEv2

If the correct values were assigned in Wireshark, the PCAP should change and show EAP packets. Refer to the before and after images below.

Before:


beforedecrypt.png
After:


afterdecrypt.png

 

  1. Check the Wireshark capture to see if there is a TLS error with the message 'Unknown CA'.


TLSError.png

 

  1. Verify the FortiGate WIFI certificate and ensure that it is selected as a trusted certificate instead:

 

conf sys global
show full | grep wifi-certificate

 
VerifyCert.png
Note: 
Using the 'Fortinet_Wifi' certificate will be trusted by endpoints since it's signed by a valid issuer:

conf sys global
    set wifi-certificate Fortinet_Wifi
end

  1. After changing the Wi-Fi certificate option to use a trusted certificate, attempt the VPN connection again and confirm that the certificate error goes away. Repeat steps 2-6 for this part:


GoodHandshake.png

 

Note: Windows configuration EAP needs to be enabled as shown below (it can only be enabled or disabled by CLI):

 

imagen.jpg

 

1627
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.