2FA for administrators logging in to the WebUI

Question

Hi all,

I spoke with my manager today about setting trusted hosts on the admin accounts we have to the WebUI and the conversation led to instead using the 2FA option. We do not use FortiTokens but instead have RSA SecurID set up that we currently use for SSL VPN users.

Does anyone know if we can use same 2FA for administrators logging in to the WebUI? If not how do i get the forti tokens to work? I have 2 forti tokens currently and would need to get more but for now these 2 are enough. so i set up my admin account, I set my SMS and did the 2FA and selected a forti token. I do not get the activation email by SMS but have seen a work around https://cookbook.fortinet.com/two-factor-auth-fortitoken-mobile/ that says you can via CLI get the activation code. Now do i need to download, install and activate the token with the fortitoken app on my mobile before this will work?

Does anyone know how i can get my fortigate to send SMS? so i dont have to use the CLI to get the activation code?

Best Regards

Ronnie

xsilver_FTNT · Answer

Hi,

1. as you speak about SMS, activation code, application and two tokens I do assume you are talking about FortiToken Mobile and those two demo tokens inside every FortiGate. Just to note there are 5 different FortiToken models.

2. SMS - by default sent through FortiGuard SMS Service Gateway. There might be some free SMS messages granted. I do not remember current amount as it is changing a bit. In general FortiGuard SMS Service is pre-paid and to FortiGate delivered as license for certain amount of prepaid SMS messages you are then able to use/send.

Alt. you can set up your own custom SMS Gateway with SMTP delivery. ( http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD36478 )

For two tokens the CLI seems to me as less complicated method.

Just assign token to user/admin and the go to respective token for activation-code

config user fortitoken edit "FTKMOB43411D6E13" set license "FTMTRIAL00143831" <--- DEMO/TRIAL Licence set activation-code "EEIO7HTZ73FGFFCR" <--- code you are looking for set activation-expire 1533462367 end

config user local edit "testsms" set type password set two-factor fortitoken set fortitoken "FTKMOB43411D6E13" <--- token above set email-to "testsms@xsilver.org" set sms-phone "+0042739946842" end

3. if you do have any other MFA (multi-factor authentication) and if it's done via RADIUS protocol, then user can be type remote with radius settings pointing to server which will do MFA (or at least first part as for example FortiAuthenticator can do chain-authentication). FGT is able to handle RADIUS Challenge-Requests (upto some 4 additional exchanges AFAIR)

(!) If you are going to make all the admins MFA and depending on outer auth, then I would highly suggest to make one backup super admin account with local auth (trusted host to one mgmt IP - optionally), strong password, which credentials will be kept locked in vault. Just for case those MFA authentications will fail, tokens get lost etc. Just to be on safe side.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded