FortiAuthenticator provides access management and single sign on.
Article Id 190276


This article describes how to configure FortiAuthenticator to integrate Linux Login (PAM_Radius).
FortiToken Mobile is used for 2FA and CentOS 7 for the Linux machine.


Linux configuration.

1) Install pam_radius module. You may need to add additional linux repository if not found.

[root@localhost ~]# sudo yum install pam_radius

2) Edit /etc/pam_radius.conf. Change FAC_IP and FAC_Secret.

[root@localhost ~]# nano /etc/pam_radius.conf
# server[:port] shared_secret      timeout (s)
#      secret             1
#other-server    other-secret       3
FAC_IP FAC_Secret 3

3) Edit /etc/pam.d/sshd to inject Radius authentication.

[root@localhost ~]# nano /etc/pam.d/sshd
auth       required
auth       sufficient # add this line
auth       substack     password-auth
auth       include      postlogin

4) Restart sshd service

[root@localhost ~]# systemctl restart sshd

5) Add user. the same username in FortiAuthenticator.

sudo useradd fac_nathan

FortiAuthenticator Configuration.

1) Configure Radius Client.

2) Configure Radius Policy.

3) Configure local FortiAuthenticator account.


Login as: username
Password: password+tokencode.





Using Email Token as 2FA:


1) Enable challenge-response mechanism. Additional configuration is needed on the Linux server


 Edit /etc/ssh/sshd_config file.

 ChallengeResponseAuthentication yes
 #ChallengeResponseAuthentication no


2) Restart sshd.

 systemctl restart sshd


Login flow:

1) Enter username and password. 

2) Enter Email Token.






logid=20000 cat="Event" subcat="Authentication" level="information" nas="x.x.x.x" action="Authentication" status="Success" msg="Remote LDAP user authentication with email token successful" user="fac_nathan"
logid=30908 cat="Event" subcat="System" level="information" nas="" action="" status="" msg="smtp mail: send to via x.x.x.x ok" user="admin"
logid=20300 cat="Event" subcat="Authentication" level="information" nas="x.x.x.x" action="Authentication" status="Pending" msg="Remote LDAP user authentication partially done, expecting email token" user="fac_nathan"


Related Articles

Technical Note : FortiAuthenticator Interoperability Guide