Creating a User Account and Assigning a FortiToken on FortiAuthenticator.

1. Log in to FortiAuthenticator.
2. Navigate to Authentication -> User Management -> Local Users.
3. Select 'Create New' and add user details.
4. Enable RADIUS Authentication.
5. Enable One-Time Password (OTP) Authentication.
6. For Deliver token codes, select FortiAuthenticator.
7. For Deliver token code by, select FortiToken -> FortiToken Mobile and then select the token.
8. Select OK to save the configuration.

Configuring RADIUS Policy on FortiAuthenticator.

Step 1: Define RADIUS Client.

1. Log in to FortiAuthenticator.
2. Navigate to Authentication-> RADIUS Service -> Clients.
3. Select Create New.
4. Enter the details:
   • Name: FortiGate.
   • IP Address: IP address of FortiGate.
   • Secret: Shared secret to be used with FortiGate.
5. Select OK to save the configuration.
   
   

Step 2. Configure RADIUS Policy.

1. Go to Authentication -> RADIUS Service -> Policies.
2. Select Create New.
3. Enter a name for the policy (e.g.,FortiGate-Admin-Access ).

 Select RADIUS Client.

1. In the Clients section, select the RADIUS client (FortiGate) created earlier.

 Define RADIUS Attribute Criteria.

1. In the Conditions section, set the conditions to match the incoming requests. This section can be left as default if no specific criteria are needed.
2. Select Next.

 Authentication.

1. In the Authentication section, select the authentication method as Password + OTP.
2. Select Next.

 Identity Source.

1. In the Identity Source section, select the Local User Realm.
2. Optionally, select any group to filter using a specific group.
3. Select Next.
   
   

 Authentication Factors.

1. In the Authentication Factors section, ensure Mandatory Password and OTP are selected.
2. Select Next.

 Save the RADIUS Response.

1. Leave the RADIUS Response settings as they are.
2. Select OK to save the policy.

Configure FortiAuthenticator as a RADIUS Server on FortiGate.

1. Log in to FortiGate.
2. Navigate to User & Authentication -> RADIUS Servers.
3. Select Create New.
4. Enter the details:
   • Name: FortiAuthenticator.
   • IP/Name: IP address of FortiAuthenticator.
   • Secret: Shared secret configured on FortiAuthenticator.
5. Select OK to save.

Enabling Admin Access on FortiGate Using FortiAuthenticator as RADIUS

Step 1: Create a User Group and Select the RADIUS Server.

1. Log in to the FortiGate.
2. Navigate to User & Authentication -> User Groups.
3. Select Create New.
4. Enter a name for the user group (e.g., RADIUS-Admin-Group).
5. In the Remote Server section, select Add.
6. Select the RADIUS server (FortiAuthenticator) previously configured.
7. Select OK to save the user group.
   
   

Step 2: Configure Administrator Accounts for 2FA.

1. Go to System -> Administrators.
2. Select Create New.
3. Select Match all users in a remote-server group.
4. Enter a name for the administrator.
5. In the Remote User Group dropdown, select the user group created in Step 1 (RADIUS-Admin-Group).
6. Assign an appropriate admin profile from the Admin Profile dropdown.
7. Select OK to save the configuration.