Technical Tip: How to configure GUI access inside and outside network with and without 2FA using FortiAuthenticator

jhussain_FTNT · ‎10-09-2025

Description

This article describes how to configure GUI access of FortiGate with remote user group using FortiAuthenticator as the radius server and allowing access with and without 2FA when accessing inside and outside the network for the same user.

Scope

FortiGate, FortiAuthenticator.

Solution

FortiGate:

Configure the radius server with FortiAuthenticator.

Configure the user group under User & Authentication -> User Groups.

Configure the Admin profile with a remote server group under System -> Administrator and select the user group in the Remote user group setting.

FortiAuthenticator:

Assign LDAP user with FortiToken and add the user to the user group.

Configure Trusted subnet (e.g. a local LAN network subnet) under Authentication -> User Account Policies -> Trusted subnets.

Create a new rule under Authentication -> User Account Policies -> Adaptive MFA Rules and add the Pre-defined trusted subnet.

Apply the Adaptive MFA rule in the RADIUS policy profile.

When the user tries to connect to FortiGate GUI from outside network

When the user tries to connect to the FortiGate GUI by accessing a local network, the user is able to log in without a FortiToken.

Technical Tip: How to configure GUI access inside and outside network with and without 2FA using FortiAuthenticator

You are leaving our website