Technical Tip: Restricting VPN access with two-factor and LDAP authentication

Description

This article describes how to restrict VPN access with two-factor and LDAP authentication.

Scope

FortiGate.

Solution

1. Configure FortiGate to LDAP link.

2. Import user from LDAP as 'local' user.
   User and authentication -> User Definition -> Create New.
   
   
   
                                                                
3. Assign a FortiToken to the imported LDAP user, an activation code will be sent to the email address. 
    
   

     

4. Create a Local User Group.
   •  Add LDAP users that have FortiTokens assigned.
   •  The 'Remote Group' option is not needed.
    
   
    
5. Add the 'Remote Access' group to the SSL VPN setting Authentication Portal Mapping as required.
    
   

    

6. Configure Firewall Policy for SSL VPN users.
    
    

To activate FortiToken Mobile:

Download and install the FortiToken Mobile app on the mobile device from the appropriate app store (App Store for iOS or Google Play Store for Android).

Receiving the activation code:

An email or SMS message will be sent containing the activation code and QR code

Option 1: Scanning QR code. Open the FortiToken Mobile app. Tap the '+' icon in the top right corner and select 'Scan QR code'. Scan the received QR code.

Option 2: Manually enter the activation code.
Open the FortiToken Mobile app, Tap the '+' icon in the top right corner, and select 'Enter manually'. Select 'Fortinet Account' and enter the email address and the activation code received.

Completing the activation:

After scanning the QR code or entering the activation code, the app will generate a six-digit verification code.

Enter this code into the VPN to complete the 2-factor authentication.

Related article: 

Technical Tip: Correctly configuring Two-Factor Authentication for LDAP users using SSL VPN