Technical Tip: FortiClient SSL VPN using email two-factor authentication

tnaik · ‎01-13-2020

Description

This article describes how to configure FortiClient SSL VPN using email based two-factor authentication.

Scope

The advantage of this solution is that FortiToken license is not required in order to generate tokens and send it to users.

The disadvantage is that this solution requires the user to have internet connectivity and access to email during the authentication attempt.
Therefore, depending on other configurations, this is not an appropriate solution for captive portals or dial-up IPsec authentication.

Solution

Configure the SMTP server.

For version 5.6 and 6.0:
Go to System -> Advanced.

For version 6.2 and above:
Go to System -> Settings.

From the GUI:

From the CLI:

config system email-server
    set reply-to {Sender_email_address}
    set server {SMTP_server_FQDN/IP}
    set port {SMTP_server_port_number}
    set authenticate {enable | disable}
    set username {username}
    set password {password_string}
    set security {none | starttls | smtps}
end

Create user.

Note:

Email-based two-factor authentication can only be enabled via the CLI.

Example shown for Local user:

config user local
    edit "guest"
        set type password
        set two-factor email
        set email-to guest@outlook.com
        set passwd ENC Fie9gxr7BS8GVFPZc2B5HtDuF9nt+81fw2W84I+BPLgH5nBxRC99

end

To configure SSL VPN, refer to the URL below:

SSL VPN quick start | FortiGate / FortiOS 7.6.1 | Fortinet Document Library .

Connect to FortiClient VPN.

Once logged into FortiClient VPN, a token prompt will appear on the same screen.
See the screenshot below for reference.