Skip to main content
yeowkm99
yeowkm99
New Member
July 29, 2025
Question

Enable 2FA for Fortigate firewall

  • July 29, 2025
  • 2 replies
  • 772 views

How do i enable 2FA for my FG401E using firmware 7.2.xx ?

what are the type of 2FA i can use 

2 replies

sjoshi
Staff
sjoshi
Staff
July 29, 2025

Hi @yeowkm99 

 

You may refer below article to enable 2FA on the FGT

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Email-Two-Factor-Authentication-on-FortiGate/ta-p/194890

 

Are you looking for email based or fortitoken?

Thanks, Salon
yeowkm99
yeowkm99Author
New Member
July 30, 2025

we are already using forti-token for users sslvpn account.

is it still possible to enable 2FA for admin accounts ?

 

edit "xxxxtan"
set type radius
set two-factor fortitoken
set fortitoken "FTKxxxxx794E1"
set email-to "xxxxmtan@xxxxxmedical.com"
set radius-server "XXXRadius"

 

my local account is kinxxxx

my admin account is kixxxxadmin

yeowkm99
yeowkm99Author
New Member
July 30, 2025

i tested cannot use the same email account for both for the 2FA.

after i change the admin email-to my gmail account, it works. 

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
July 30, 2025

At FAC, if you set an FAC admin user account with a name (not only email), you can not use the same name for regular user account for RADIUS or LDAP or whatever. Because the FAC always finds the name bound as an "admin" user and allow it what ever the admin can do. ex.) if the admin account doesn't have 2FA setup, the regular RADIUS user login with the same name wouldn't go through 2FA even if you set it up for the group/users.

We discovered this issue about 3 years ago when we deployed a FAC for FTM(FortiToken Mobile) 2FA, and requested a NFR(new feature request) via SE at that time. Apparently they never implemented the change.

Toshi 

Terms & ConditionsAccessibility statement