So, I have a bit of a dilemma, this is the fact that the Fortiauthenticator does a good job in authenticating and all and I am trying to increase the OTP possibilities by introducing the chained authentiaction from the same radius source.
I have a Radius source that I would like to use Chained Auth, but this source is already set up (with ip) doing AD authentication and OTP forced.
If I change the setting to chained authentiaction, the FortiAuthentiactor will require two OTPs, this is not what I want
If I remove the force and set it to apply two factor if available, the user with no Token will get forwarded to the chained auth and all is good. However users that have a token will still get both OTP as a requirement.
So the question quicklty becomes if there is a way to mix these settings?
Well, I'm a bit confused.
It seems to me you already have 2FA via OTP (probably on FortiAuthenticator {FAC} and so probably via FortiToken of some sort), and now you want to get rid of 2FA on FAC because you desperately want to use 'chained' authentication to the source which now offer OTP 2FA as well ? Sorry but this make a little sense to me, unless you do not have tokens for all users on FAC, so you would need to acquire (purchase) some, and that other source offer tokens cheaper or for free.
So how about to set that source with secondary IP to be able to define it as possible source for chained auth?
And so how about to distinguish between users who will use 2FA from FAC and those who use the other OTP source, all that via for example group membership filter in RADIUS Client, or via RADIUS Client profiles. Or disable even possible use of 2FA on FAC, even if user has token, and move all the users to that other OTP source and do the chaining for all of them. Or simplify your life by purchasing a bundle of FortiToken Mobile tokens and extend what you already have ready, tested and working. There certainly are possibilities.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
The FortiAuthenticator does a good job in AD Authentication, supporting password change over FortiClient and other neat things, the FortiToken Mobile works well and all that goodness.
What it does not do well is supporting third party Tokens (except for Yubikey in TOTP mode) and this would be good to have in my case as there are already a bunch of Token variants present in the Organisation.
I sorted it with different profiles on the Radius Clients, some realms doing chained auth and the others not
@Daniel Could you give an example of your config for chained auth?
We've done it by realm also and used authenticator like Dou
http://socpuppet.blogspot.com/2017/05/fortigate-sslvpn-and-multiple-realms.html
http://socpuppet.blogspot.com/2017/04/securing-fortigate-sslvpn-with-mfa-by.html
We had the same issue until we made everybody Duo, a mix of authenticators in a single Organization. Also what I' seeing now is the need to support 3rd party consultant|contractors who might not be in the MS-AD domain and requires MFA via TOTP.
With realms you can easily support all of these needs for SSLVPN.
Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1748 | |
1114 | |
764 | |
447 | |
241 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.