Description
This article describes the steps to configure Two Factor Authentication on FortiGate with token delivery to user’s email.
Useful links:
CLI Reference: https://docs.fortinet.com/document/fortigate/6.0.6/cli-reference/689474/system-email-server
Solution
There are two steps to complete this configuration:
1) Configure the SMTP server.
#config system email-server
set reply-to {Sender_email_address}
set server {SMTP_server_FQDN/IP}
set port {SMTP_server_port_number}
set authenticate {enable | disable}
set username {username}
set password {password_string}
set security {none | starttls | smtps}
end
2) Create user(s) with email two factor enabled.
#config user local
edit {username}
set type password
set two-factor email
set email-to {user_email_address}
set passwd {password}
next
end
#config system admin
edit "admin"
set type password
set two-factor email
set email-to user_email_address
set passwd password
next
end
NOTE: Email based two-factor authentication can only be enabled via CLI.
Verification of Configuration:
Once the newly created user can access certain service (e.g. SSL-VPN), the user will be prompted for username and password as usual during access attempt.
If correct credentials are entered by the user, the user will be prompted to enter a token. This token will be delivered to the user’s mailbox. Once the user enters the received token, access will be granted.
Troubleshooting:
Debugging of the authentication process:
#diag debug reset
#diag debug application fnbamd -1
#diag debug enable
Debugging of token delivery via email:
#diag debug reset
#diag debug application alertmail -1
#diag debug enable
