Skip to main content
daniel_anderson
daniel_anderson
New Member
August 24, 2020
Solved

Two-Factor Autentication - FortiGate 500E

  • August 24, 2020
  • 1 reply
  • 3313 views

Good Morning Everyone,

 

My 2 questions are hopefully very simple and probably a duplication of questions previously asked...

 

1. Are the FortiTokens still the valid way to handle Two-Factor Authentication with FortiGate products for SSL VPN

2. I'm testing with the 2 free tokens. If access to the VPN is granted through an Active Directory group, the VPN does not ask for the FortiToken. If a user is granted access to the VPN using only their users, the FortiToken is required. Any ideas?

 

All the best,

 

Dan

    Best answer by Yurisk

    To enable MFA with Fortitokens and LDAP users I see 2 ways:

    [ol]
  • As per Fortinet docs - create local users with exact same name as in LDAP and assign Fortitokens to them. In such case Fortigate does NOT store password of a user locally - just its name, all authenticaiton is against LDAP. https://kb.fortinet.com/kb/documentLink.do?popup=true&externalID=FD36413&languageId=
  • Use MS Radius (NPS, that plugs into your DC) instead of direct LDAP connection. It works with FortiAuthenticator as well as any 3rd party vendor like DUO etc. https://kb.fortinet.com/kb/documentLink.do?popup=true&externalID=FD36413&languageId= [/ol]

    • 1 reply

    Patel
    Patel
    New Member
    August 30, 2020

    Hi,

    Here are answers to your questions:

    1.) Yes, FortiTokens is still the valid way to handle Two-Factor Authentication with FortiGate products for SSL VPN.

    2.) If access to the VPN is granted through an Active Directory group, the VPN does not ask for the FortiToken. 

    - Make sure that the user group you are mapping to the portal does not include mixed users(Some with 2 FA enabled and some without 2FA).

    - Only users with 2FA enabled should be in that group. Please check that and let me know if that still does not work.

     

    Regards,

    Patel

    Yurisk
    SuperUser
    YuriskAnswer
    SuperUser
    August 30, 2020

    To enable MFA with Fortitokens and LDAP users I see 2 ways:

    [ol]
  • As per Fortinet docs - create local users with exact same name as in LDAP and assign Fortitokens to them. In such case Fortigate does NOT store password of a user locally - just its name, all authenticaiton is against LDAP. https://kb.fortinet.com/kb/documentLink.do?popup=true&externalID=FD36413&languageId=
  • Use MS Radius (NPS, that plugs into your DC) instead of direct LDAP connection. It works with FortiAuthenticator as well as any 3rd party vendor like DUO etc. https://kb.fortinet.com/kb/documentLink.do?popup=true&externalID=FD36413&languageId= [/ol]
    • Terms & ConditionsAccessibility statement