Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.

Email Two-Factor Authentication on FortiGate in dialup vpn

Dear all,


Is it possible to configure two way authentication using email in dial up vpn (windows native).


If yes, kindly share article or kb in order to implement.


Note - We are not using any forticlient software for vpn.


Thank you.




Hi Umesh,


As per your requirement you can use forticlient VPN and use Fortitoken as 2MFA for the Dial-up VPN connection for local users.
Kindly confirm the users trying to connect via windows(built-in) VPN are remote LDAP/Radius users or the local users configured on the firewall.






Hi Asengar,


As you asked, In my case users are trying to connect VPN using windows (built-in) , and whatever users are configured on Fortigate Firewall, for authentication we are using Radius server.


Can you please further guide me, how to do these things.


Thank you



Dear Asengar,


Waiting for you reply on this please comment If you have any Idea regarding this.


Thank you in advanced



Hi @Umesh 


As you confirmed that the users are remote Radius users, so in that case you have to check with the Radius server if you have option to enable 2FA via email.


So when the user will enter the username and password the authentication request will go to radius server, and then radius server will ask for 2FA and then the response will be shared to fortigate.


In case if for the local users you need to enable 2FA via email, you can do it via cli. Kindly refer the below doc for the same.


In your case for Radius users we can not configure any additional setting in the firewall.You can use separate 2FA built in from radius side.






I would like to inform you, when I tried to connect vpn from my laptop during this time fortigate is sending the token to configured email-id when I checked firewall logs, but I'm not getting any token (OTP) on my email when I checked.


I have configured following things -

#config user local
edit test
set type password
set two-factor email
set email-to
set passwd test123


Can you please check what I am doing mistake.





Hi @Umesh 


As per the shared details, I can see you created a local user with username as test and password as test123.

You have enabled 2FA for the test user to email


The configuration is fine, but you mentioned still you are getting the code.

Kindly check for the mail in junk and spam mail folder as well.


I test the same in my LAB and it is working fine as expected.


Kindly check and verify once if the Gmail id is correct.

Also collect the below debugs and attach while connecting.

dia debug reset

dia debug application alertmail -1

dia debug enable


to stop debugging give 

dia debug disable


Refer the attachment FYR for the alertmail debugging logs.




Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors