Technical Tip: SSL VPN users show as 'Two-factor authentication not enabled'

sdebnath · ‎09-29-2024

Description

This article describes the issue where the SSL VPN monitor in the FortiGate GUI displays that two-factor authentication is not enabled, despite the client successfully connecting to FortiGate using SSL VPN credentials and FortiToken without any errors.

Scope

FortiGate, FortiClient.

Solution

This situation can occur when a user provides SSL VPN credentials (username+password) and tokens as concatenated.

This is an expected behavior from FortiGate, as FortiGate cannot see the VPN users on SSL VPN as 2FA. (Attachment Below).

User Credentials with Token and 2FA disabled.jpg

However, to address this error alert, it is recommended to provide the user credentials (username and password together) and then allow a brief interval (Seconds) as FortiGate prompts for two-factor authentication (2FA).
Once the token is provided or approved, FortiGate will recognize that the user is successfully enabled with the required 2FA:

Expected Behavior with Token.jpg
In addition, upgrading the firmware to v7.2.9 or later will also resolve this error alert now. FortiGate will be able to recognize VPN users as 2FA-enabled, regardless of whether the credentials and token are provided in a concatenated format:

v7.2.9 Solution .jpg

Note: If third party Two-Factor Authentication like Duo Security is implemented or the user does not have FortiToken enabled on the FortiGate, the Two-Factor Authentication for that user will show as 'disabled' on the FortiGate under the SSL VPN monitor. This is expected behavior.