Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Umesh
Contributor

Email based two factor authentication || authentication method Radisu Server ||

Hi All,

Today I have configured successfully email based authentication for Forticlient VPN and when I configure using Local user that time I am getting authentication code.

 

I want, the user type must be Radius user not Local user.

User must be authenticate using Radius server.local.JPG

Can anyone guide how can I achieve this things.

Please refer the snapshot.

 

 

local user.JPG

 

 

2 Solutions
npariyar
Staff
Staff

Hi Umesh,

 

To enable 2FA for the radius users or any remote authentication server, the user must be preset on the fortigate as a User Type radius/tacacs+ /ldap. Once the user is preset on the FortiGate you can enable 2 FA as the below configuration:

config user local
edit "admin"
set type radius
set two-factor email
set email-to "admin@gmail.com"
set radius-server "RAD-TEST"
next
end

 

Here "RAD-TEST" is a radius server

 

Regards

Niroj Pariyar

View solution in original post

pminarik
Staff
Staff

I see various contradictory, or semi-contradictory, statements in here, so let's clear things once and for all.

 

1, email 2FA

FortiGate supports email 2FA for locally defined users (=explicitly listed in config user local). Their type is irrelevant - can be local/LDAP/RADIUS/...

The only catch is that email-type 2FA must first be configured via CLI. Once you do this, the option will become visible in the GUI, for that user.
Of course, do not forget to configure an email server and make sure that the FortiGate is able to send emails. Follow this KB article for the initial email 2FA setup - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Email-Two-Factor-Authentication-on-FortiGa...

 

2, RADIUS-type users

If the user is of RADIUS type, then indeed their password will be checked for validity against the RADIUS server, not compared with anything local on the FortiGate itself. As a matter of fact you cannot even configure a local password for a RADIUS user. (but compare this with individual admin users, who do have a configurable "backup password", which is used exclusively only when the RADIUS server isn't responding)

A RADIUS user will show as "User Type Remote RADIUS User" in the GUI, or set type radius in the CLI.

Note that you cannot switch an existing user from one type to another. If you already have a local-type "user-x", in order to change them to RADIUS type you will need to first delete the existing user and then recreate it as a remote RADIUS user.

[ corrections always welcome ]

View solution in original post

15 REPLIES 15
Kush_Patel

If the user type will be radius then it will use RADIUS credentials to authenticate.email.PNG

mgoswami

Hi Umesh,

 

When the users will authenticate, they will be authenticated via the radius server.

 

BR,

Manosh

Umesh

Hi Niroj,

config user local
edit "admin"
set type radius
set two-factor email
set email-to "admin@gmail.com"
set radius-server "RAD-TEST"
next
end

 

I have followed above command, after that it is showing authentication error, can you please help me what can be issue.

 

Umesh

Hi Niroj,

 

Yes, now its' working, I praise your respond.

 

Regards,

Umesh

pminarik
Staff
Staff

I see various contradictory, or semi-contradictory, statements in here, so let's clear things once and for all.

 

1, email 2FA

FortiGate supports email 2FA for locally defined users (=explicitly listed in config user local). Their type is irrelevant - can be local/LDAP/RADIUS/...

The only catch is that email-type 2FA must first be configured via CLI. Once you do this, the option will become visible in the GUI, for that user.
Of course, do not forget to configure an email server and make sure that the FortiGate is able to send emails. Follow this KB article for the initial email 2FA setup - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Email-Two-Factor-Authentication-on-FortiGa...

 

2, RADIUS-type users

If the user is of RADIUS type, then indeed their password will be checked for validity against the RADIUS server, not compared with anything local on the FortiGate itself. As a matter of fact you cannot even configure a local password for a RADIUS user. (but compare this with individual admin users, who do have a configurable "backup password", which is used exclusively only when the RADIUS server isn't responding)

A RADIUS user will show as "User Type Remote RADIUS User" in the GUI, or set type radius in the CLI.

Note that you cannot switch an existing user from one type to another. If you already have a local-type "user-x", in order to change them to RADIUS type you will need to first delete the existing user and then recreate it as a remote RADIUS user.

[ corrections always welcome ]
Umesh

Thanks for making me clarify.

 

 

 

Top Kudoed Authors