Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
timonin87
New Contributor

Created on ‎03-28-2025 06:50 AM

2FA with non-default realm

Dear Team,

We are experiencing an issue with SSL VPN authentication when using email-based OTP and custom realms.

**Device:** FortiGate 100F
**Firmware:** v7.2.8 build1639 (Mature)
**Authentication type:** Local users with two-factor authentication set to email
**Issue:**
- When users authenticate via the **default realm** (i.e., no "set realm" in the authentication rule), the OTP email is sent, and login proceeds successfully.
- When configuring a **custom realm** and associating the same users via an `authentication-rule`, the login fails with **"permission denied"** and **OTP is not triggered**.
- Debug logs show: `two factor check for [user]: off`, even though user configuration includes `set two-factor email`.

**Troubleshooting done:**
- Verified user has `set two-factor email` and valid email address.
- Tried assigning user directly in `authentication-rule` and via user group — behavior is the same.
- Reset password and email OTP on the user — no change.
- Verified that SSLVPN works in both realms with users that have no 2FA.
- Upgrading firmware is currently under consideration if this is a known issue.

**Request:**
- Can you confirm whether email-based OTP is fully supported in non-default realms?
- Is there a known bug or limitation for this configuration?
- Any workaround (other than switching to FortiToken) that would enable OTP to trigger in a custom realm?

Please advise.

 

Thank you in advance!

Labels:
91
0 Kudos
1 Solution
timonin87
New Contributor

Created on ‎03-28-2025 08:21 AM

I've messed up with user groups and fw rules. So it works.

Thank you all!

View solution in original post

52
3 REPLIES 3
AEK
SuperUser
SuperUser

Created on ‎03-28-2025 06:59 AM

Hi Timonin

I don't know such limitation but your detailed tests seem to confirm it. If updating the firmware to the recommended version doesn't resolve it then the limitation will be double confirmed.

A good solution would be to use a RADIUS server.

AEK
AEK
83
0 Kudos
funkylicious
SuperUser
SuperUser

Created on ‎03-28-2025 07:16 AM

hi,

i just did a test on a 200E running 7.2.10 with 2 realms, one custom "/local" and default "/" using the same user with 2fa on email but in each realm a different group ... just because ... and also with the correct fw rules with them, had no issues with 2fa. i was prompted in both cases and came via email and went smooth.

"jack of all trades, master of none"
"jack of all trades, master of none"
78
timonin87
New Contributor

Created on ‎03-28-2025 08:21 AM

I've messed up with user groups and fw rules. So it works.

Thank you all!

53
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.