Technical Tip: Forticlient SSLVPN using email two-factor authentication

tnaik · ‎01-13-2020

Description
This article explains how to configure Forticlient SSLVPN using email two-factor authentication.

Scope
The advantage of this solution is that FortiToken license is not required in order to generate tokens and send it to users.

The disadvantage is that this solution requires the user to have internet connectivity and access to email during the authentication attempt.
Therefore, depending on other configurations, this is not an appropriate solution for captive portals or dial-up IPsec authentication.

Solution
Configure the SMTP server.

For version 5.6 and 6.0:
Go to System -> Advanced.

For version 6.2:
Go to System -> Settings.

From the GUI:

From the CLI:
# config system email-server
    set reply-to {Sender_email_address}
    set server {SMTP_server_FQDN/IP}
    set port {SMTP_server_port_number}
    set authenticate {enable | disable}
    set username {username}
    set password {password_string}
    set security {none | starttls | smtps}
End
Create user.

NOTE:
Email based two-factor authentication can only be enabled via CLI.

Example shown for Local user:
# config user local
    edit "guest"
        set type password
        set two-factor email
        set email-to "guest@outlook.com
        set passwd ENC Fie9gxr7BS8GVFPZc2B5HtDuF9nt+81fw2W84I+BPLgH5nBxRC99

To configure SSLVPN check the below URL:

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/559546/ssl-vpn-full-tunnel-for-remote-us...

Connect to Forticlient VPN.
once logged to Forticlient VPN, token will prompt on same screen.
See the below screenshot for reference .

Verification.

To check authentication process:
# diag debug reset
# diag debug application fnbamd -1
# diag debug enable
Debugging of token delivery via email:
# diag debug reset
# diag debug application alertmail -1
# diag debug enable