Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mle2802
Staff
Staff

Created on ‎10-09-2024 07:16 AM

Article Id 348005

Technical Tip: Using email-based MFA with certificate authentication for Dialup IPsec VPN

Description This article describes how to combine email-based two-factor authentication with certificate authentication for dialup IPsec VPN.
Scope FortiGate and FortiClient.
Solution
  1. Create a user with an email-based MFA and add it to a user group:

    config user local
        edit test
            set type password
            set two-factor email
            set email-to {user_email_address}
            set passwd {password}
        next
    end

    config user group
        edit "2FA VPN"
            set member "test" "vpnuser"
        next
    end

  2. Import the CA certificate:
    Go to System -> Certificates -> Import -> CA Certificate.

  3. Import server certificate:
    Go to System -> Certificates and select Import -> Local Certificate.

  4. Create a PKI user using the CA certificate imported to FortiGate.

    config user peer
        edit "henry"
            set ca "CA_Cert_1"
            set subject "CN=henry" <- This example uses subject field matching.
    end

  5. Configure IPsec using IKE v2 and 'eap' to be 'enable' and 'eap-identity' to 'send-request'. After that, set 'authusrgrp' to the local user group that has a user with an email-based MFA.

    config vpn ipsec phase1-interface
        edit "cert"
            set type dynamic
            set interface "port1"
            set ike-version 2
            set authmethod signature
            set net-device disable
            set mode-cfg enable
            set proposal aes256-sha256
            set eap enable
            set eap-identity send-request
            set authusrgrp "2FA VPN"
            set certificate "fgt"
            set peer "henry"
        next
    end

  6. On FortiClient, choose the right client certificate and use the credential created under 'config user local' previously.

    mfa email ipsec.png                                           
  7. On FortiGate, running IKE and fnbamd debug, it is possible to see that the certificate check is matched and user 'test' is passing two-factor authentication.

    ike V=root:0:cert:4: received peer identifier DER_ASN1_DN 'CN = henry'
    ike V=root:0:cert:4: re-validate gw ID
    ike V=root:0:cert:4: gw validation OK
    ike V=root:0:cert:4: responder preparing EAP identity request
    ike V=root:0:cert:4: local cert, subject='fgt', issuer='henryCA'
    ike V=root:0:cert:4: local CA cert, subject='henryCA', issuer='henryCA'

    [2078] handle_req-Rcvd auth_token rsp for req 11686740021250
    [2131] handle_req-Check token '131852' with user 'test'
    [2152] handle_req-Verify(user=test vdom=root token_code=131852) returns 0

    [2190] handle_req-Token check succeeded. Orig auth ret 0
    [627] fnbam_user_auth_group_match-req id: 11686740021250, server: test, local auth: 1, dn match: 0
    [575] __group_match-Group '2FA VPN' passed group matching
    [578] __group_match-Add matched group '2FA VPN'(2)
    [206] find_matched_usr_grps-Passed group matching
    [239] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 11686740021250, len=2596

    ike V=root:0:cert:4: responder received AUTH msg

    ike V=root:0:cert:4: auth verify done
    ike V=root:0:cert:4: responder AUTH continuation
    ike V=root:0:cert:4: authentication succeeded
    ike V=root:0:cert:4: responder creating new child
1113
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.