Skip to main content
SegLati
SegLati
Visitor III
January 30, 2025
Solved

enable email 2FA for local users

  • January 30, 2025
  • 2 replies
  • 2586 views

Hello everybody: I want to enable two-factor authentication but only for local users who use the forticlient to connect VPN (fortigate 60F).

I want to use email, I already have the email-server configured.
The option does not appear, so I have to configure the email-server.
This is my configuration:
show system email-server
config system email-server
set server "mail.emailexample.com.ar"
set port 26
set security smtps
end

According to the documentation:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Email-Two-Factor-Authentication-on-FortiGate/ta-p/194890

There are two steps to complete this configuration:


Configure the SMTP server.

config system email-server

set reply-to {Sender_email_address}

set server {SMTP_server_FQDN/IP}

set port {SMTP_server_port_number}

set authenticate {enable | disable}

set username {username}

set password {password_string}

set security {none | starttls | smtps}

end

 

Create a user(s) with email two-factor enabled.

config user local
edit {username}
set type password
set two-factor email
set email-to {user_email_address}
set passwd {password}
next
end

config system admin
edit "admin"
set type password
set two-factor email
set email-to user_email_address
set passwd password
next
end

but I only want to enable it for local users, is it possible?

Thanks

Best answer by Dhruvin_patel

Hello!

 

Yes, it is possible to enable email two-factor authentication specifically for local users on FortiGate. Here's how you can achieve this:

1. Configure the SMTP server:
```
config system email-server
set reply-to {sender_email_address}
set server {smtp_server_fqdn/ip}
set port {smtp_server_port_number}
set authenticate enable
set username {username}
set password {password_string}
set security smtps
end
```

2. Create a local user with email two-factor authentication enabled:
```
config user local
edit {username}
set type password
set two-factor email
set email-to {user_email_address}
set passwd {password}
next
end
```

By following these steps, you can enable email two-factor authentication for local users on your FortiGate device. This will ensure that only local users using FortiClient to connect to VPN will have email two-factor authentication enabled.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Email-Two-Factor-Authentication-on-FortiGate/ta-p/194890

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Forticlient-SSLVPN-using-email-two-factor/ta-p/194023

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-Up-Two-Factor-Authentication-2FA-for/ta-p/325709

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restrict-local-admin-authentication-when-remote/ta-p/191581

 

Best Regards!

 

 

 

2 replies

Dhruvin_patel
Staff
Dhruvin_patelAnswer
Staff
January 30, 2025

Hello!

 

Yes, it is possible to enable email two-factor authentication specifically for local users on FortiGate. Here's how you can achieve this:

1. Configure the SMTP server:
```
config system email-server
set reply-to {sender_email_address}
set server {smtp_server_fqdn/ip}
set port {smtp_server_port_number}
set authenticate enable
set username {username}
set password {password_string}
set security smtps
end
```

2. Create a local user with email two-factor authentication enabled:
```
config user local
edit {username}
set type password
set two-factor email
set email-to {user_email_address}
set passwd {password}
next
end
```

By following these steps, you can enable email two-factor authentication for local users on your FortiGate device. This will ensure that only local users using FortiClient to connect to VPN will have email two-factor authentication enabled.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Email-Two-Factor-Authentication-on-FortiGate/ta-p/194890

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Forticlient-SSLVPN-using-email-two-factor/ta-p/194023

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-Up-Two-Factor-Authentication-2FA-for/ta-p/325709

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restrict-local-admin-authentication-when-remote/ta-p/191581

 

Best Regards!

 

 

 

    SegLati
    SegLatiAuthor
    Visitor III
    February 5, 2025

    Thanks for the answer!

    I was able to enable two-factor authentication using email.

    Best Regards!

    Dhruvin_patel
    Staff
    Dhruvin_patel
    Staff
    February 5, 2025

    I'm glad it worked for you!

      Terms & ConditionsAccessibility statement