Created on
10-11-2022
03:14 AM
Edited on
07-22-2025
06:53 AM
By
Jean-Philippe_P
Description |
This article describes how to configure ZTNA Session-Based Authentication with MFA Token. |
Scope |
During this setup, it was necessary to deploy the Session-based form authentication with MFA.
For logging in with support for MFA (FortiToken): EMS: v7.0.7. FortiGate: v7.0.6. |
Solution |
This type of Session/form-based authentication requires MFA and allows users to log in to internal resources. This can be applied to local and remote users.
Lab Setup:
From the client machine, ensure it can resolve the domains and the portal domain:
It is possible to use an LDAP user, or RADIUS user, or a local user with FortiToken:
Enable 2FA with Token or use Local User Group with 2FA as per the lab test below:
Username is abcd. Usergroup is LocalEMS.
Configure ZTNA Authentication Scheme.
If using LDAP:
config authentication scheme
If using Local User:
edit "LocalZTNA"
These are required:
set method form
config authentication rule
Configure the ZTNA server as per the diagram above.
Create an access proxy virtual host that points to the ZTNA access proxy. The client will be redirected to this page for form authentication:
Enable auth-portal on the access proxy and point it to the virtual host:
Create a ZTNA rule to allow the flow. It is possible to use the ZTNA tagging as well to create a match:
Testing. Test local users with a Token prompt.
Saga-kvm24 # diagnose test authserver local LocalEMS abcd xxxxxx
Ensure FortiClient is connected to the EMS telemetry and gets the right tag assigned.
Access the w o trigger the authportal site. Ensure Certificate gets prompted for the FortiClient <> EMS cert authentication portion:
It will be redirected to the Auth Portal Page:
Once accepted:
Apply the credentials and Token, and it will bring the request to the backend Web server:
Successfully able to load internal Web server:
Troubleshooting commands:
diagnose debug application sslvpn -1 diagnose endpoint record list x.x.x.x diagnose firewall dynamic list
WAD debug:
diagnose wad debug enable cat all
To stop the debug, use the commands given below:
diagnose debug disable diagnose debug reset
The RADIUS authentication with FortiToken will work only if the FortiToken is hosted on the FortiGate. RADIUS with FortiToken or MFA hosted on the FortiAuthenticator or third-party RADIUS server is not supported. Use SAML authentication to use FortiToken hosted in FortiAuthenticator.
Related document: |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.