Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ronnie_jorgensen
New Contributor

2FA for administrators logging in to the WebUI

Hi all,

 

I spoke with my manager today about setting trusted hosts on the admin accounts we have to the WebUI and the conversation led to instead using the 2FA option. We do not use FortiTokens but instead have RSA SecurID set up that we currently use for SSL VPN users.

 

Does anyone know if we can use same 2FA for administrators logging in to the WebUI? If not how do i get the forti tokens to work? I have 2 forti tokens currently and would need to get more but for now these 2 are enough. so i set up my admin account, I set my SMS and did the 2FA and selected a forti token. I do not get the activation email by SMS but have seen a work around https://cookbook.fortinet.com/two-factor-auth-fortitoken-mobile/ that says you can via CLI get the activation code. Now do i need to download, install and activate the token with the fortitoken app on my mobile before this will work?

 

Does anyone know how i can get my fortigate to send SMS? so i dont have to use the CLI to get the activation code?

 

Best Regards

Ronnie

4 REPLIES 4
emnoc
Esteemed Contributor III

You could easily do this with radius and Duo. Here's a cloud based authentictaion services. I never  heard of anybody using  just RSA but you should ask them.

 

http://socpuppet.blogspot.com/2017/04/securing-fortigate-sslvpn-with-mfa-by.html

 

 

PCNSE 

NSE 

StrongSwan  

xsilver_FTNT
Staff
Staff

Hi,

 

1. as you speak about SMS, activation code, application and two tokens I do assume you are talking about FortiToken Mobile and those two demo tokens inside every FortiGate. Just to note there are 5 different FortiToken models.

 

2. SMS - by default sent through FortiGuard SMS Service Gateway. There might be some free SMS messages granted. I do not remember current amount as it is changing a bit. In general FortiGuard SMS Service is pre-paid and to FortiGate delivered as license for certain amount of prepaid SMS messages you are then able to use/send.

Alt. you can set up your own custom SMS Gateway with SMTP delivery. ( http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD36478 )

For two tokens the CLI seems to me as less complicated method.

Just assign token to user/admin and the go to respective token for activation-code

 

config user fortitoken edit "FTKMOB43411D6E13" set license "FTMTRIAL00143831"  <--- DEMO/TRIAL Licence set activation-code "EEIO7HTZ73FGFFCR"  <--- code you are looking for set activation-expire 1533462367 end

 

config user local edit "testsms" set type password set two-factor fortitoken set fortitoken "FTKMOB43411D6E13"  <--- token above set email-to "testsms@xsilver.org" set sms-phone "+0042739946842" end

 

3. if you do have any other MFA (multi-factor authentication) and if it's done via RADIUS protocol, then user can be type remote with radius settings pointing to server which will do MFA (or at least first part as for example FortiAuthenticator can do chain-authentication). FGT is able to handle RADIUS Challenge-Requests (upto some 4 additional exchanges AFAIR)

 

(!) If you are going to make all the admins MFA and depending on outer auth, then I would highly suggest to make one backup super admin account with local auth (trusted host to one mgmt IP - optionally), strong password, which credentials will be kept locked in vault. Just for case those MFA authentications will fail, tokens get lost etc. Just to be on safe side.

Tom xSilver, planet Earth, over and out!

Naimbeezy

Gracias
xsilver_FTNT

my pleasure.

if you like my answer, then simply/kindly rate it and share if it's going to help others (which is my intention).

Tom xSilver, planet Earth, over and out!