Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Certificate authentication with Password in IKEv2 (IPSec Dialup)

Hi guys, i´m trying to build a VPN with a certificate authentification(warning im a newbie on Fortigate). This is alredy established and works, but the connecting process the user dosent have to type a password or username in. So how can i get a authentification requierement for certificate user. For example: User have certificate -> connect -> Type Password & Username in (this dosent come???) -> connection established The connection is via Linux network-manager-strongswan Fortigate Version is 5.6.3 (Fortigate100d) The next Question is i have a limit of 10 parallel VPN Users on the Fortigate, how can i increase it? Thanks for your help. :) PS: Sry for the bad english.


Hello @GigaX ,


In FortiGate, you can set up a two-factor authentication (2FA) method that requires both a certificate and a username/password. Navigate to the VPN settings and under Phase 1 settings of your VPN tunnel. Change the authentication method to signature. Under the authentication settings, specify the user group that will be allowed to connect. This user group should be tied to your LDAP or local user database. Save your settings and try connecting. You should now be prompted for a username and password.


This is not possible with IKEv2.

One side (the client) can authenticate using only one of these three methods (using more than one is not possible):

  • PSK
  • certificate
  • EAP

Within EAP, there's various EAP methods, but none supports combined certificate + password authentication of the client:

  • EAP-TLS: certificates only
  • EAP-PEAP: username+password only
  • EAP-TTLS: username+password only
  • EAP-MSCHAPv2: username+password only

For the sake of completeness, there's a relatively recent EAP-TEAP, which allows chaining of multiple other EAP methods. This in theory could support a combination like EAP-TLS + EAP-MSCHAPv2, thus authenticating both the user's certificate and their username+password, but as far as I am aware, support seems to be limited. FortiGate itself certainly doesn't support it (when in an EAP proxy scenario), but maybe you'll be lucky and your choice of VPN client + RADIUS server will support it. (if EAP is handled by the RADIUS server, the FortiGate has no influence over the EAP method)

[ corrections always welcome ]
Top Kudoed Authors