Skip to main content
damianhlozano
damianhlozano
Explorer II
November 17, 2022
Solved

Two factor authentication for AD admins

  • November 17, 2022
  • 2 replies
  • 6881 views

Hello team!!!

 

Is there a way to enable 2 factor authentication for admins with other than local Users?

As suggested by Fortinet, I created an AD group, added the AD Group to the local group, and added the local group as admin in System->Administrators

With local users I have the "Two factor authentication" option in the gui, but this option is not available with this group, also tried to configure two factor autentication from the cli but "set two-factor" is not possible with this group.

 

Any suggestion?

Regards,

Damián

Best answer by kiri

We might have sent you in the wrong direction.
This is how you can configure and assign tokens to remote LDAP admin.
If you're using vdoms, you have to be in global for this. Group and server in root vdom.
fortinet is my samaccountname, and I'm able to auth with this as admin. 2fa enabled also.

fortigate # config global
fortigate (global) # config system admin
fortigate (admin) # edit fortinet
fortigate (fortinet) #
config system admin
edit "fortinet"
set remote-auth enable
set accprofile "super_admin"
set vdom "root"
set two-factor fortitoken
set fortitoken "FTKMOB1A914XXXXX"
set email-to "fortinet@bogusinc.local"
set remote-group "bogusinc-LDAP-GROUP"
set password ENC
next
end

fortigate (root) show user ldap LDAPS-bogusinc.local2012r2ldap
config user ldap
edit "LDAPS-bogusinc.local2012r2ldap"
set server "10.5.23.153"
set server-identity-check disable
set cnid "sAMAccountName"
set dn "DC=bogusinc,DC=local"
set type regular
set username "Administrator@bogusinc.local"
set password ENC
set secure ldaps
set ca-cert "CA_Cert_2"
set port 636
next
end

fortigate (root) # show user group bogusinc-LDAP-GROUP
config user group
edit "bogusinc-LDAP-GROUP"
set member "bogusinc.local2012r2ldap"
config match
edit 1
set server-name "bogusinc.local2012r2ldap"
set group-name "CN=Domain Users,CN=Users,DC=bogusinc,DC=local"
next
end
next
end

Let me know if this helps.
- Have you found a solution? Then give your helper a "Like" and mark the solution.

2 replies

kiri
Staff & Editor
kiri
Staff & Editor
November 18, 2022

Hi Damián,

You can define AD user on the firewall and enable 2fa.

config user local
edit "fortinet"
set type ldap
set two-factor
...

I'm not aware of any other method on the firewall.
If you don't want that, you can auth the admin externally over radius using a FAC, for instance. Here you can enable 2fa also.

This is LDAP example, but I think you can adapt it for radius easily:
https://docs.fortinet.com/document/fortigate/6.2.12/cookbook/747268/configuring-wildcard-admin-accounts

Or you can try SAML and 2fa will be handled by your IDP (FAC or other IDP provider).

https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-SAML-admin-authentication/ta-p/195402

- Have you found a solution? Then give your helper a "Like" and mark the solution.

damianhlozano
damianhlozanoAuthor
Explorer II
November 18, 2022

Hello cchiriches, thanks for your answer.

About the first suggestion, I dont understand how to associate this local user with an AD user, in the "edit username" I dont have any option to do this (I used "show full-configuration")

About the wilcard admin accounts, this is alike what I did before, this does not support 2FA

It seems we will not use the other methods, they asked now to authenticate only with AD.

Any Idea?

 

Thanks in advance.

Regards,

Damian

 

ebilcari
Staff
ebilcari
Staff
November 18, 2022

You can try to import/create a remote LDAP user under User & Authentication> User Definition> Create New> User Type [Remote LDAP User] > Next > (Select user) > right click [Add Selected]
(same result as explained on the previous comment from the CLI)

After that you can assign a token and make it part of the Admin group you created.

Emirjon
damianhlozano
damianhlozanoAuthor
Explorer II
November 18, 2022

Hello ebilcari, thanks for your answer

I just tested, this does not work, allowed me to access but without 2FA, just the password required.

 

Any other idea?

Regards,

Damián

kiri
Staff & Editor
kiriAnswer
Staff & Editor
November 18, 2022

We might have sent you in the wrong direction.
This is how you can configure and assign tokens to remote LDAP admin.
If you're using vdoms, you have to be in global for this. Group and server in root vdom.
fortinet is my samaccountname, and I'm able to auth with this as admin. 2fa enabled also.

fortigate # config global
fortigate (global) # config system admin
fortigate (admin) # edit fortinet
fortigate (fortinet) #
config system admin
edit "fortinet"
set remote-auth enable
set accprofile "super_admin"
set vdom "root"
set two-factor fortitoken
set fortitoken "FTKMOB1A914XXXXX"
set email-to "fortinet@bogusinc.local"
set remote-group "bogusinc-LDAP-GROUP"
set password ENC
next
end

fortigate (root) show user ldap LDAPS-bogusinc.local2012r2ldap
config user ldap
edit "LDAPS-bogusinc.local2012r2ldap"
set server "10.5.23.153"
set server-identity-check disable
set cnid "sAMAccountName"
set dn "DC=bogusinc,DC=local"
set type regular
set username "Administrator@bogusinc.local"
set password ENC
set secure ldaps
set ca-cert "CA_Cert_2"
set port 636
next
end

fortigate (root) # show user group bogusinc-LDAP-GROUP
config user group
edit "bogusinc-LDAP-GROUP"
set member "bogusinc.local2012r2ldap"
config match
edit 1
set server-name "bogusinc.local2012r2ldap"
set group-name "CN=Domain Users,CN=Users,DC=bogusinc,DC=local"
next
end
next
end

Let me know if this helps.
- Have you found a solution? Then give your helper a "Like" and mark the solution.

    Terms & ConditionsAccessibility statement