FortiAuthenticator provides access management and single sign on.
Article Id 193021
This article describes the use of RADIUS Chained Authentication in FortiAuthenticator where 3rd Party Multi-Factor Authentication tokens can be used as 2FA.

RADIUS Chained Authentication is useful for providing FortiAuthenticator services in an environment where 3rd Party Multi-Factor Authentication tokens are already widely deployed.
For instance, use chained authentication for administrative access to a FortiGate where in FortiAuthentificator can validate the username/password (Remote LDAP) and rely on the RSA server for token authentication only.

RADIUS Chained Authentication can create under FortiAuthentificator Realm.
- Go to Authentication -> User Management -> Realms and create a new entry. Enter the following information:

- Provide a name.
- For User source, select the LDAP server from the dropdown.
- Enable 'Chained token authentication with remote RADIUS server'.
- Select the FortiToken server  added as a RADIUS server.

- Optionally, it is possible to configure selected groups are applied with chained token authentication.