Technical Tip: Configuring SMS Two-Factor Authentication with 3rd party SMS provider

chaithrar · ‎04-21-2015

Description

This article describes the steps necessary to configure SMS Two-Factor Authentication in a FortiGate, with a 3rd party (custom) SMS provider.

FortiGate offers possibilities to use the FortiGuard SMS service or to use a 3rd party SMS provider for sending SMS tokens to end users.

Scope

FortiGate.

Solution

Configuring SMS Two-Factor Authentication requires four steps:

Configure the SMTP server.
Configure the SMS service on the FortiGate.
Configure the SMS service on the SMS provider.
Create user(s) and/or Administrator(s) with SMS two factor enabled.

Configure the SMTP server.

Configure the SMTP server as follows in the CLI:

config system email-server
   set type custom
   set reply-to <reply-to string> <----- Specify the reply-to email address.
   set server <IP or domain of the SMTP Server>
   set port 25
   set source-ip 0.0.0.0
   set source-ip6 ::
   set authenticate disable
   set security none
end

Configure the SMS service on the FortiGate.

Perform the following configuration in the CLI:

config system sms-server
edit <provider> <----- Provider name or any name.
set mail-server <server_name> <----- Provider domain.
end

Configure the SMS service on the SMS provider.

The configuration of these settings depends on the 3rd party SMS provider.

Create user(s) and/or administrator(s) with SMS two factor enabled.

SMS Authentication must be enabled from the CLI for each individual user or administrator.
In the User settings, the SMS server needs to be set to type 'custom', and the sms-custom-server option will appear:

For users:

Use Custom server:

# config user local
edit <user> (name of the user)

set two-factor SMS
set sms-phone "xxxxxxxxxxxx"
set sms-server custom
set sms-custom-server <provider><----- Configured in step 2.
end

Or use Fortiguard as the server:

# config user local
edit <user> <----- Name of the user.

set two-factor SMS
set sms-phone "xxxxxxxxxxxx"
set sms-server fortiguard
end

After setting up the above configuration in the CLI, navigate to the GUI. Go to User & Authentication -> User definition and edit the appropriate user profile, then select the Country Dial Code and enter the phone number (sms-phone in the CLI) to send an MFA code to:

For administrators:

config system admin

edit "adminTest" (enter the admin user name)

set two-factor sms (choose 'sms')

set sms-server {fortiguard | custom} <----- Use 'custom' for the 3rd party SMS server.

set sms-phone <----- Enter the phone number of the user.

end

After setting up the above configuration in the CLI, navigate to the GUI. Go to System -> Administrator and edit the appropriate administrator profile, then select the Country Dial Code and enter the phone number (sms-phone in the CLI) to send an MFA code.

Important Notes:

The SMTP server configured in step 1 will be the server that FortiGate uses to communicate with the 3rd party SMS servers. This means that the SMTP server should allow the FortiGate to relay through it.
The mail-server address in step 2 will be the domain of the email address the FortiGate sends emails.

For example: using the above configuration, the FortiGate will send an email to [recipient_mobile_number]@[providerdomain] through the server IP configured in step 1.

Login to the FortiGate unit using the username and password of the user created in step 4.
Upon selecting Login, the 'Token Code' request will appear and an SMS will be sent to the user's phone number.
Enter the one-time code to login to the FortiGate.

Troubleshooting:

Run the following command to diagnose issues with token codes being sent:

diagnose sniffer packet any 'port 25' 6