Step 1: Create an LDAP user group.

Go to User & Authentication -> User Groups -> Create new.

Step 2: Create an Admin User.

Go to System -> Administrators -> Create new.

1. Give the user name. This name should match the username available in the LDAP group. The type needs to be selected 'Match a user on a remote server group' or 'Match all users in a remote server group'. adminad is the test username given here.

For more information about ‘Match all users in a remote server group’ and ‘Match a user on a remote server group’, follow this document: Remote authentication for administrators.

     2. Choose the Administrator profile required for this user. Administrator profiles explains how to configure Administrator Profiles. 

     3. Choose the User Group created in Step 1. Here, the group name is Admin.

     4. Enable Two-factor Authentication, select FortiToken, and then select the Token serial number that is needed to be used for this admin user.

     5. Give the email address that is needed to receive the activation code for the FortiToken activation. 

Step 3: Now the configuration has been completed and is ready to test. 

Once the correct username and password are given for the authentication, it asks for the FortiToken input to proceed further.

Step 4: Verification.

date=2025-08-15 time=12:51:24 eventtime=1755242483912713966 tz="+0530" logid="0100032001" type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1755242483" user="adminad" ui="https(10.50.17.161)" method="https" srcip=10.50.17.161 dstip=10.5.135.146 action="login" status="success" reason="none" profile="super_admin_readonly" msg="Administrator adminad logged in successfully from https(10.50.17.161)"

Now the user adminad has been logged in to the device successfully and the correct Administrator profile has been assigned to the user.

Related article:

Technical Tip: Add Two-Factor Authentication for FortiGate Administrators using FortiToken