Hi All,
Today I have configured successfully email based authentication for Forticlient VPN and when I configure using Local user that time I am getting authentication code.
I want, the user type must be Radius user not Local user.
User must be authenticate using Radius server.
Can anyone guide how can I achieve this things.
Please refer the snapshot.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Umesh,
To enable 2FA for the radius users or any remote authentication server, the user must be preset on the fortigate as a User Type radius/tacacs+ /ldap. Once the user is preset on the FortiGate you can enable 2 FA as the below configuration:
config user local
edit "admin"
set type radius
set two-factor email
set email-to "admin@gmail.com"
set radius-server "RAD-TEST"
next
end
Here "RAD-TEST" is a radius server
Regards
I see various contradictory, or semi-contradictory, statements in here, so let's clear things once and for all.
1, email 2FA
FortiGate supports email 2FA for locally defined users (=explicitly listed in config user local). Their type is irrelevant - can be local/LDAP/RADIUS/...
The only catch is that email-type 2FA must first be configured via CLI. Once you do this, the option will become visible in the GUI, for that user.
Of course, do not forget to configure an email server and make sure that the FortiGate is able to send emails. Follow this KB article for the initial email 2FA setup - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Email-Two-Factor-Authentication-on-FortiGa...
2, RADIUS-type users
If the user is of RADIUS type, then indeed their password will be checked for validity against the RADIUS server, not compared with anything local on the FortiGate itself. As a matter of fact you cannot even configure a local password for a RADIUS user. (but compare this with individual admin users, who do have a configurable "backup password", which is used exclusively only when the RADIUS server isn't responding)
A RADIUS user will show as "User Type Remote RADIUS User" in the GUI, or set type radius in the CLI.
Note that you cannot switch an existing user from one type to another. If you already have a local-type "user-x", in order to change them to RADIUS type you will need to first delete the existing user and then recreate it as a remote RADIUS user.
Hi Umesh,
Greetings of the day!
To enable MFA for the radius user first add the user locally and then enabled email as two-factor authentication. For reference check the below screen-shot
Regards
Priyanka
Hi Priyanka,
Thanks for sharing this snapshot, but the problem is how can we configure 2F email based authentication under authentication type.
Regards,
umesh
The email field there is used to send the token activation procedure and not to do the 2FA via email for that user.
Hi Umesh,
To enable 2FA for the radius users or any remote authentication server, the user must be preset on the fortigate as a User Type radius/tacacs+ /ldap. Once the user is preset on the FortiGate you can enable 2 FA as the below configuration:
config user local
edit "admin"
set type radius
set two-factor email
set email-to "admin@gmail.com"
set radius-server "RAD-TEST"
next
end
Here "RAD-TEST" is a radius server
Regards
Created on 07-21-2023 08:39 AM Edited on 07-21-2023 08:39 AM
Hi Niroj,
I have one query like when user will try to access network then will it authenticate using local password or radius server.
Thanks
Hi Niroj,
I am sending snapshot, hope you will understand how I want to configure two factor email based authentication using radius server.
You will need another product for that like FortiAuthenticator for example. There is a difference between token Delivery method and Activation method.
In FortiGate the SMS and email are used for activation. I'm sharing a snapshot from the configuration in FortiAuthenticator:
from FGT:
> FortiGate doesn't support 2FA with token delivery via email.
This statement is incorrect, please refer for example to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Email-Two-Factor-Authentication-on-FortiGa...
Created on 07-23-2023 01:49 AM Edited on 07-23-2023 01:54 AM
You are right, that was new to me too :). I test it in a lab and it's working normally in 7.2.4 after adding it from the CLI from a LDAP user in this case:
config user local
edit "beni"
set type ldap
set two-factor email
set email-to "beni@eb.eu"
set ldap-server "DC01-x"
the test:
GW # diagnose test authserver ldap DC01-x beni xxxxx
Token Code:******
authenticate 'beni' against 'DC01-x' succeeded!
the email content send by FGT: Your authentication token code is 8xxxxx.
Same result while using a local user:
config user local
edit "test2FAmail"
set type password
set two-factor email
set email-to "test2fmail@eb.eu"
set passwd-time 2023-07-23 08:55:03
set passwd ENC xxxx
the test:
GW # diagnose test authserver local Local test2FAmail test123
Token Code:******
authenticate user 'test2FAmail' in group 'Local' succeeded
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1663 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.