In some cases, a local account is created on the PC and it is necessary for these users to login with 2FA using the FortiAuthenticator Agent: Introduction.

To log in with local users, it is necessary to have the '.' realm created on FortiAuthenticator. The same username/password should be set on the FortiAuthenticator local user database.

The same user credentials that exist on windows are created on FortiAuthenticator with local users with tokens assigned on FortiAuthenticator.

The example above was a test performed on Windows with the user 'gimi'. On the FortiAuthenticator Agent, select '.' instead of domain.

Enter credentials. A prompt for a token will appear.

Since the FortiAuthenticator Agent communicates with FortiAuthenticator through a Rest API, it is possible to check from debug logs on FortiAuthenticator.

Navigate to https://<FortiAuthenticator-ip>/debug and select the REST API while in FortiAuthenticator Agent -> Simulation -> View Logs.

Expected behavior :

1. If the credentials entered match with the local user in FortiAuthenticator, but not with the Windows user: OTP will be received as the user credential is verified with FortiAuthenticator. However, upon entering the OTP, the error 'User name or password is incorrect' will be seen due to the credential used does not match the Windows credential.
2. If the credential entered does not match with the local user in FortiAuthenticator: the  OTP input window will be seen, but no OTP will arrive due to an invalid credential with FortiAuthenticator.

If there is the error 'User name or password is incorrect':

1. Ensure the local username and password are the same as the credentials for the Windows username and password.
2. Ensure REST API is enabled on the interface facing the PC.
3. Download FortiAuthenticator Agent from FortiAuthenticator itself under Authentication -> FAC Agent -> Microsoft Windows Agent, to ensure compatibility.