- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Email based two factor authentication || authentication method Radisu Server ||
Hi All,
Today I have configured successfully email based authentication for Forticlient VPN and when I configure using Local user that time I am getting authentication code.
I want, the user type must be Radius user not Local user.
User must be authenticate using Radius server.
Can anyone guide how can I achieve this things.
Please refer the snapshot.
Solved! Go to Solution.
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Umesh,
To enable 2FA for the radius users or any remote authentication server, the user must be preset on the fortigate as a User Type radius/tacacs+ /ldap. Once the user is preset on the FortiGate you can enable 2 FA as the below configuration:
config user local
edit "admin"
set type radius
set two-factor email
set email-to "admin@gmail.com"
set radius-server "RAD-TEST"
next
end
Here "RAD-TEST" is a radius server
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see various contradictory, or semi-contradictory, statements in here, so let's clear things once and for all.
1, email 2FA
FortiGate supports email 2FA for locally defined users (=explicitly listed in config user local). Their type is irrelevant - can be local/LDAP/RADIUS/...
The only catch is that email-type 2FA must first be configured via CLI. Once you do this, the option will become visible in the GUI, for that user.
Of course, do not forget to configure an email server and make sure that the FortiGate is able to send emails. Follow this KB article for the initial email 2FA setup - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Email-Two-Factor-Authentication-on-FortiGa...
2, RADIUS-type users
If the user is of RADIUS type, then indeed their password will be checked for validity against the RADIUS server, not compared with anything local on the FortiGate itself. As a matter of fact you cannot even configure a local password for a RADIUS user. (but compare this with individual admin users, who do have a configurable "backup password", which is used exclusively only when the RADIUS server isn't responding)
A RADIUS user will show as "User Type Remote RADIUS User" in the GUI, or set type radius in the CLI.
Note that you cannot switch an existing user from one type to another. If you already have a local-type "user-x", in order to change them to RADIUS type you will need to first delete the existing user and then recreate it as a remote RADIUS user.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Umesh,
Greetings of the day!
To enable MFA for the radius user first add the user locally and then enabled email as two-factor authentication. For reference check the below screen-shot
Regards
Priyanka
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Priyanka,
Thanks for sharing this snapshot, but the problem is how can we configure 2F email based authentication under authentication type.
Regards,
umesh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The email field there is used to send the token activation procedure and not to do the 2FA via email for that user.
If you have found a solution, please like and accept it to make it easily accessible for others.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Umesh,
To enable 2FA for the radius users or any remote authentication server, the user must be preset on the fortigate as a User Type radius/tacacs+ /ldap. Once the user is preset on the FortiGate you can enable 2 FA as the below configuration:
config user local
edit "admin"
set type radius
set two-factor email
set email-to "admin@gmail.com"
set radius-server "RAD-TEST"
next
end
Here "RAD-TEST" is a radius server
Regards
Created on 07-21-2023 08:39 AM Edited on 07-21-2023 08:39 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Niroj,
I have one query like when user will try to access network then will it authenticate using local password or radius server.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Niroj,
I am sending snapshot, hope you will understand how I want to configure two factor email based authentication using radius server.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You will need another product for that like FortiAuthenticator for example. There is a difference between token Delivery method and Activation method.
In FortiGate the SMS and email are used for activation. I'm sharing a snapshot from the configuration in FortiAuthenticator:
from FGT:
If you have found a solution, please like and accept it to make it easily accessible for others.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
> FortiGate doesn't support 2FA with token delivery via email.
This statement is incorrect, please refer for example to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Email-Two-Factor-Authentication-on-FortiGa...
Created on 07-23-2023 01:49 AM Edited on 07-23-2023 01:54 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are right, that was new to me too :). I test it in a lab and it's working normally in 7.2.4 after adding it from the CLI from a LDAP user in this case:
config user local
edit "beni"
set type ldap
set two-factor email
set email-to "beni@eb.eu"
set ldap-server "DC01-x"
the test:
GW # diagnose test authserver ldap DC01-x beni xxxxx
Token Code:******
authenticate 'beni' against 'DC01-x' succeeded!
the email content send by FGT: Your authentication token code is 8xxxxx.
Same result while using a local user:
config user local
edit "test2FAmail"
set type password
set two-factor email
set email-to "test2fmail@eb.eu"
set passwd-time 2023-07-23 08:55:03
set passwd ENC xxxx
the test:
GW # diagnose test authserver local Local test2FAmail test123
Token Code:******
authenticate user 'test2FAmail' in group 'Local' succeeded
If you have found a solution, please like and accept it to make it easily accessible for others.