Description
This article describes how to restrict VPN access with two-factor and LDAP authentication.
Scope
FortiGate.
Solution
- Configure FortiGate to LDAP link.
-
Import user from LDAP as 'local' user.User and authentication -> User Definition -> Create New.
-
Assign a FortiToken to the imported LDAP user, an activation code will be sent to the email address.
-
Create a Local User Group.
- Add LDAP users that have FortiTokens assigned.
- The 'Remote Group' option is not needed.
-
Add the 'Remote Access' group to the SSL VPN setting Authentication Portal Mapping as required.
-
Configure Firewall Policy for SSL VPN users.
To activate FortiToken Mobile:
Download and install the FortiToken Mobile app on the mobile device from the appropriate app store (App Store for iOS or Google Play Store for Android).
Receiving the activation code:
An email or SMS message will be sent containing the activation code and QR code
Option 1: Scanning QR code. Open the FortiToken Mobile app. Tap the '+' icon in the top right corner and select 'Scan QR code'. Scan the received QR code.
Option 2: Manually entering the activation code.
Open the FortiToken Mobile app, Tap the "+" icon in the top right corner, and select 'Enter manually'. Select 'Fortinet Account' and enter the email address and the activation code received.
Completing the activation:
After scanning the QR code or entering the activation code, the app will generate a six-digit verification code.
Enter this code into the VPN to complete the 2-factor authentication.