Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
tnaik
Staff
Staff

Created on ‎01-13-2020 12:52 AM Edited on ‎12-15-2024 01:16 PM By Moderator

Article Id 194023

Technical Tip: FortiClient SSLVPN using email two-factor authentication

Description

 

This article describes how to configure FortiClient SSL VPN using email based two-factor authentication.

Scope

 

The advantage of this solution is that FortiToken license is not required in order to generate tokens and send it to users.

The disadvantage is that this solution requires the user to have internet connectivity and access to email during the authentication attempt.
Therefore, depending on other configurations, this is not an appropriate solution for captive portals or dial-up IPsec authentication.

Solution

 

Configure the SMTP server.

For version 5.6 and 6.0:
Go to System -> Advanced.

For version 6.2 and above:
Go to System -> Settings.

From the GUI:


 
From the CLI:
 
# config system email-server
    set reply-to {Sender_email_address}
    set server {SMTP_server_FQDN/IP}
    set port {SMTP_server_port_number}
    set authenticate {enable | disable}
    set username {username}
    set password {password_string}
    set security {none | starttls | smtps}
end
 
Create user.
 
Note:
Email-based two-factor authentication can only be enabled via the CLI.
 
Example shown for Local user:
 
# config user local
    edit "guest"
        set type password
        set two-factor email
        set email-to guest@outlook.com
        set passwd ENC Fie9gxr7BS8GVFPZc2B5HtDuF9nt+81fw2W84I+BPLgH5nBxRC99
end
 
To configure SSL VPN, refer to the URL below:
 
 
Connect to FortiClient VPN.
Once logged into FortiClient VPN, a token prompt will appear on the same screen.
See the screenshot below for reference.
 
 
Verification.
 
To check authentication process:

# diag debug reset
# diag debug application fnbamd -1
# diag debug enableDebugging of token delivery via email:
# diag debug reset
# diag debug application alertmail -1
# diag debug enable


Related articles

Troubleshooting Tip: The email two-factor authentication code for SSL VPN client is never received

49906
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.