Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
potapnev
New Contributor

Created on ‎10-27-2022 01:33 AM

2FA with RADIUS

FortiOS 6.2.5
Are there any instructions how to create email or certificate-based 2FA for RADIUS users?

Labels:
3525
10 REPLIES 10
Anthony_E
Community Manager
Community Manager

Created on ‎10-30-2022 12:40 AM

Hello potapnev,

 

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Regards,

Anthony-Fortinet Community Team.
3025
0 Kudos
JeremyNV
New Contributor
In response to Anthony_E

Created on ‎11-16-2022 11:54 AM

Hello
Any ideas?

2776
0 Kudos
gfleming
Staff
Staff
In response to JeremyNV

Created on ‎11-16-2022 12:42 PM

You've been given excellent responses already. If you aren't happy with the solution provided using FortiGate as email provider, you need to look at your RADIUS server to provide this functionality.

Cheers,
Graham
2771
gfleming
Staff
Staff

Created on ‎10-31-2022 10:29 AM

This would be a function of your RADIUS server. Which RADIUS server are you using.


The FortiGate only acts as a RADIUS client...

Cheers,
Graham
3006
bpozdena_FTNT
Staff
Staff

Created on ‎11-01-2022 01:25 AM

1. Email token delivery:

config user local
    edit "user1"
        set type radius
        set two-factor email
        set email-to "user1@example.com"
        set radius-server "my_radius_server"
    next
end

You can also use your custom SMTP server. 

 

 

2. Certificate based SSL VPN authentication:

HTH,
Boris
2994
JeremyNV
New Contributor
In response to bpozdena_FTNT

Created on ‎11-01-2022 01:35 AM

In the email token option I'll need to add every user manually? Or it will take emails from radius server for every user?

2990
0 Kudos
Markus_M
Staff
Staff
In response to JeremyNV

Created on ‎11-01-2022 03:29 AM

Hi Jeremy,

 

every user needs to be manually configured, if the second factor is set on the FortiGate.

If the second factor is set on another server like RADIUS, it will have to be configured there. FortiAuthenticator can import users from LDAP and automatically read the email address of that user, assign FortiToken Mobile and send the FortiToken Mobile activation to the email address that was imported. "Remote user sync rules" are the trick.

 

Best regards,

 

Markus

2979
0 Kudos
JeremyNV
New Contributor
In response to Markus_M

Created on ‎11-01-2022 06:27 AM

Any examples of configuring 2FA on RADIUS so that it could be used by FortiClient?

2974
0 Kudos
Hatibi
Staff
Staff
In response to JeremyNV

Created on ‎11-01-2022 08:33 AM

Hi Jeremy,

 

regarding the scenario where FortiAuthenticator will act as radius server you can use the following documentation:

https://docs.fortinet.com/document/fortiauthenticator/6.4.0/cookbook/278744/fortitoken-mobile-push-f...

https://docs.fortinet.com/document/fortiauthenticator/6.4.0/cookbook/997639/configure-ldap-users-on-...

 

Regards

S

2960
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.