I'm new to Fortigate and I need to get MFA working for SSLVPN users from an LDAP Server. With other manufacturers, such as Sophos, I just need to enable MFA for users and have them read the QR code in their respective authentication app. With Fortigate, do I need to use Fortitoken mobile exclusively?
Another question: is it true that to use MFA with Fortigate, I need to pay for a token?
For FortiToken indeed, you would need to acquire either FortiTokens and activate them directly on the firewall, or FortiToken Cloud or via FortiAuthenticator+licenses for FortiToken Mobile ( FTM ).
You can use EntraID and the MFA that it offers you, if you have a Azure tenant.
So basically any integration I want to do with MFA, whether it's extracting seed or using fortitoken, do I need to pay for a license?
You would only need a license for the 2FA/MFA solution that you are using.
If you are using let's say Microsoft Authenticator because you have a Azure subscription/tenant, you don't need any license on the firewall for using it.
I am using local ldap (ad), I need license, right?
No license needed in order to query/import AD/LDAP users on the firewall.
to enable MFA, I want to use ldap users with MFA to authenticate via SSLVPN, in this scenario, do I need fortitoken cloud license etc?
If you want to use FortiToken Cloud as the MFA, then yes.
You can search online the differences between FortiToken Cloud and FortiToken Mobile licenses.
Hey AgnerDNS,
to elaborate a bit more:
LDAP inherently does not support MFA, so you need some way to introduce MFA.
This can either be done on the server side, or on FortiGate side.
On server side:
- you need a solution that offers MFA in addition to LDAP
-> FortiAuthenticator, if it acts as LDAP server, can require (Forti)token codes; codes are sent along with password in one go
-> Azure/Microsoft Authenticator adds push notification without the client device (FortiGate) noticing, and only returns successful auth result if the second factor checks out too
-> various LDAP proxy solutions allow you to loop in MFA
-> Fortinet started offering FortiAuthProxy as a software application that acts as LDAP server towards FortiGate; it proxies connection to the actual LDAP server and loops in MFA (in the form of FortiTokenCloud)
On FortiGate side:
- LDAP users need to be imported to FortiGate
- FortiGate can assign them FortiTokens, or be configured to send token codes via SMS (needs a third-party SMS gateway or FortiGuard SMS subscription) or email (needs SMTP server)
- FortiGate will verify credentials against LDAP, and separately either require token code to be entered, or send a push notification (depends on token type and related config)
I hope that clarifies how MFA can be bolted onto LDAP authentication, and gives you some idea of what a possible solution might look like :)
Cheers,
Debbie
Thank you man, impressive how something as simple as MFA for use, which is available in Sophos XG, is paid for by Fortinet.
User | Count |
---|---|
1920 | |
1144 | |
769 | |
447 | |
277 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.