Technical Tip: Windows 2FA login using local users on FortiAuthenticator

In some cases, a local account is created on the PC and it is necessary for these users to login with 2FA using the FortiAuthenticator Agent.

Refer to the documentation for FortiAuthenticator Agent configuration.

To log in with local users, it is necessary to have the '.' realm created on FortiAuthenticator.

The same username/password should be set on the FortiAuthenticator local user database.

The same user credentials that exist on windows are created on FortiAuthenticator with local users with tokens assigned on FortiAuthenticator.

The example above was a test performed on Windows with the user 'gimi'. On the FortiAuthenticator Agent, select '.' instead of domain.

Enter credentials. A prompt for a token will appear.

Since the FortiAuthenticator Agent communicates with FortiAuthenticator through a Rest API, it is possible to check from debug logs on FortiAuthenticator.

Navigate to https://<fac-ip>/debug and select the REST API while in FortiAuthenticator Agent -> Simulation -> View Logs.

If there is the error 'User name or password is incorrect':

1. Ensure the local username and password are the same as the credentials for the Windows username and password.
2. Ensure REST API is enabled on the interface facing the PC.
3. Download FortiAuthenticator Agent from FortiAuthenticator itself under Authentication -> FAC Agent -> Microsoft Windows Agent, to ensure compatibility.