Enforcing 2FA

ArifS · ‎09-12-2022

I am using Parallels RAS with FortiAuthenticator. Right now it shows 2FA for all the users who are imported into FortiAuthenticator but allow login to other users without 2FA. How to enforce 2FA for all users and deny if they are not imported into FortiAuthencator. I can't find any settings of Parallels side to restrict.

pminarik · ‎09-13-2022

Can you clarify which authentication protocol/method you're using in this case?

If it's RADIUS, you need to edit the matching RADIUS policy, and in the "Authentication factors" section switch it to "Mandatory password and OTP".

FAC GUI - RADIUS policy authentication factors

docs reference

[ corrections always welcome ]

View solution in original post

pminarik · ‎09-13-2022

Can you clarify which authentication protocol/method you're using in this case?

If it's RADIUS, you need to edit the matching RADIUS policy, and in the "Authentication factors" section switch it to "Mandatory password and OTP".

FAC GUI - RADIUS policy authentication factors

docs reference

[ corrections always welcome ]

ArifS · ‎09-13-2022

It stops login after setting authentication to Mandatory password and OTP.

It gives the following error, is there a way to customize message.

pminarik · ‎09-14-2022

FAC doesn't advertise the failure reason being a missing token in the Access-Reject. (that is a potential information leak to an attacker)

You could perhaps try changing the error to something like "if you don't have a token assigned, talk to IT" (just an example), but as to how to do that, you'd need to check with whoever is responsible for the UI that generates that error message.

[ corrections always welcome ]