Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Umesh
Contributor

Created on ‎07-18-2023 10:31 AM

Email based two factor authentication || authentication method Radisu Server ||

Hi All,

Today I have configured successfully email based authentication for Forticlient VPN and when I configure using Local user that time I am getting authentication code.

 

I want, the user type must be Radius user not Local user.

User must be authenticate using Radius server.local.JPG

Can anyone guide how can I achieve this things.

Please refer the snapshot.

 

 

local user.JPG

 

 

Labels:
11724
0 Kudos
2 Solutions
npariyar
Staff
Staff

Created on ‎07-21-2023 03:09 AM Edited on ‎07-21-2023 03:11 AM

Hi Umesh,

 

To enable 2FA for the radius users or any remote authentication server, the user must be preset on the fortigate as a User Type radius/tacacs+ /ldap. Once the user is preset on the FortiGate you can enable 2 FA as the below configuration:

config user local
edit "admin"
set type radius
set two-factor email
set email-to "admin@gmail.com"
set radius-server "RAD-TEST"
next
end

 

Here "RAD-TEST" is a radius server

 

Regards

Niroj Pariyar

View solution in original post

11604
0 Kudos
pminarik
Staff
Staff

Created on ‎07-21-2023 12:36 PM Edited on ‎07-21-2023 12:39 PM

I see various contradictory, or semi-contradictory, statements in here, so let's clear things once and for all.

 

1, email 2FA

FortiGate supports email 2FA for locally defined users (=explicitly listed in config user local). Their type is irrelevant - can be local/LDAP/RADIUS/...

The only catch is that email-type 2FA must first be configured via CLI. Once you do this, the option will become visible in the GUI, for that user.
Of course, do not forget to configure an email server and make sure that the FortiGate is able to send emails. Follow this KB article for the initial email 2FA setup - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Email-Two-Factor-Authentication-on-FortiGa...

 

2, RADIUS-type users

If the user is of RADIUS type, then indeed their password will be checked for validity against the RADIUS server, not compared with anything local on the FortiGate itself. As a matter of fact you cannot even configure a local password for a RADIUS user. (but compare this with individual admin users, who do have a configurable "backup password", which is used exclusively only when the RADIUS server isn't responding)

A RADIUS user will show as "User Type Remote RADIUS User" in the GUI, or set type radius in the CLI.

Note that you cannot switch an existing user from one type to another. If you already have a local-type "user-x", in order to change them to RADIUS type you will need to first delete the existing user and then recreate it as a remote RADIUS user.

[ corrections always welcome ]

View solution in original post

11506
15 REPLIES 15
Kush_Patel
Staff
Staff
In response to Umesh

Created on ‎07-21-2023 10:09 AM

If the user type will be radius then it will use RADIUS credentials to authenticate.email.PNG

1686
0 Kudos
mgoswami
Staff
Staff
In response to Umesh

Created on ‎07-24-2023 11:18 PM

Hi Umesh,

 

When the users will authenticate, they will be authenticated via the radius server.

 

BR,

Manosh

1619
0 Kudos
Umesh
Contributor
In response to npariyar

Created on ‎07-24-2023 03:40 AM

Hi Niroj,

config user local
edit "admin"
set type radius
set two-factor email
set email-to "admin@gmail.com"
set radius-server "RAD-TEST"
next
end

 

I have followed above command, after that it is showing authentication error, can you please help me what can be issue.

 

1635
0 Kudos
Umesh
Contributor
In response to npariyar

Created on ‎07-24-2023 11:10 PM

Hi Niroj,

 

Yes, now its' working, I praise your respond.

 

Regards,

Umesh

1622
0 Kudos
pminarik
Staff
Staff

Created on ‎07-21-2023 12:36 PM Edited on ‎07-21-2023 12:39 PM

I see various contradictory, or semi-contradictory, statements in here, so let's clear things once and for all.

 

1, email 2FA

FortiGate supports email 2FA for locally defined users (=explicitly listed in config user local). Their type is irrelevant - can be local/LDAP/RADIUS/...

The only catch is that email-type 2FA must first be configured via CLI. Once you do this, the option will become visible in the GUI, for that user.
Of course, do not forget to configure an email server and make sure that the FortiGate is able to send emails. Follow this KB article for the initial email 2FA setup - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Email-Two-Factor-Authentication-on-FortiGa...

 

2, RADIUS-type users

If the user is of RADIUS type, then indeed their password will be checked for validity against the RADIUS server, not compared with anything local on the FortiGate itself. As a matter of fact you cannot even configure a local password for a RADIUS user. (but compare this with individual admin users, who do have a configurable "backup password", which is used exclusively only when the RADIUS server isn't responding)

A RADIUS user will show as "User Type Remote RADIUS User" in the GUI, or set type radius in the CLI.

Note that you cannot switch an existing user from one type to another. If you already have a local-type "user-x", in order to change them to RADIUS type you will need to first delete the existing user and then recreate it as a remote RADIUS user.

[ corrections always welcome ]
11507
Umesh
Contributor
In response to pminarik

Created on ‎07-24-2023 11:28 PM

Thanks for making me clarify.

 

 

 

1614
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.