Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.

Can i block SSL VPN if they don't have 2FA

Hi all,


We are in the process of ordering the mobile app and also the 200B physical 2FA for our SSL VPN users and i can see that i can pull the users across from LDAP and enable 2FA on there and then as long as they are in the VPN group on LDAP then this will work fine as currently it's just a case of being in the VPN group in Active Directory and they are allowed on but my question is that as you have to enable the 2FA for a user for it to work then if we don't enable it for a user but they are in the Active Directory group then will this bypass the 2FA and let them connect as normal or is there an option to say if they're in the group but don't use 2FA then don't allow the connection ?

Hope that makes sense.




If there is 2FA not assigned user group is in the SSLVPN authentication/portal mapping rule, then the Fortigate will allow the user to connect to the SSL VPN without 2FA token.


Kindly refer the below document explain about the SSL VPN authentication.


If you need enforce the user to connect SSLVPN with 2FA only then you configure only the user which are assigned with Fortitoken and map them in the SSLVPN authentication/portal mapping rule.








Top Kudoed Authors