Technical Tip: FortiToken Two-Factor authentication for an SSL VPN radius user

1. Configure the Radius Server:

2. Configure the Remote Radius User and enable FortiToken two-factor authentication:
   
   

To configure in the CLI: 

config user local
    edit "User_test"
        set type radius
        set two-factor fortitoken
        set fortitoken "FTKMOBxxxxxxxxxx"
        set email-to "abc@gmail.com"
        set radius-server "Radius_Server"
    next
end

3. Configure a local user group and add the remote user to this group:

Note:

Do not add the remote server to the firewall group.

To configure in the CLI: 

config user group
    edit "VPN"
        set member "User_test"
    next
end

4. Add the local user group to the SSL VPN settings for the SSL VPN connection.

To configure in the CLI: 

config vpn ssl settings
       config authentication-rule
              edit 1
                    set groups "VPN"
                    set portal "tunnel-access"
              next
       end
end

Related articles: 

Technical Tip: Correctly configuring Two-Factor Authentication for LDAP users using SSL VPN

Troubleshooting Tip: FortiGate FortiToken configuration and troubleshooting resource list