How do i enable 2FA for my FG401E using firmware 7.2.xx ?
what are the type of 2FA i can use
Hi @yeowkm99
You may refer below article to enable 2FA on the FGT
Are you looking for email based or fortitoken?
we are already using forti-token for users sslvpn account.
is it still possible to enable 2FA for admin accounts ?
edit "xxxxtan"
set type radius
set two-factor fortitoken
set fortitoken "FTKxxxxx794E1"
set email-to "xxxxmtan@xxxxxmedical.com"
set radius-server "XXXRadius"
my local account is kinxxxx
my admin account is kixxxxadmin
i tested cannot use the same email account for both for the 2FA.
after i change the admin email-to my gmail account, it works.
Created on ā07-29-2025 06:52 PM Edited on ā07-29-2025 06:58 PM
At FAC, if you set an FAC admin user account with a name (not only email), you can not use the same name for regular user account for RADIUS or LDAP or whatever. Because the FAC always finds the name bound as an "admin" user and allow it what ever the admin can do. ex.) if the admin account doesn't have 2FA setup, the regular RADIUS user login with the same name wouldn't go through 2FA even if you set it up for the group/users.
We discovered this issue about 3 years ago when we deployed a FAC for FTM(FortiToken Mobile) 2FA, and requested a NFR(new feature request) via SE at that time. Apparently they never implemented the change.
Toshi
User | Count |
---|---|
2677 | |
1412 | |
810 | |
703 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.