Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MadDog_2023
New Contributor III

MFA for admin access

Hi All,

There is a FortiGate 60E.

I set up MFA the way shown on the screenshot. 

 

FG MFA.jpg

 

The drawback of this method is that it requires FortiToken Mobile.

It means if I'm not available nobody can access the router.

Is it possible to set up MFA for admin access in some other way that wouldn't be linked to someone mobile device?  

1 Solution
ozkanaltas
Valued Contributor III

Hello @MadDog_2023 ,

 

Firstly, I agree with @AEK. You should create more than one admin account on your FortiGate for traceability. 

 

But if you don't want this. You can use email as a 2FA or you can configure a remote radius admin user on your FortiGate. After that, you can control the 2FA option on the Radius server. 

 

If you want to use email as 2FA. You can use these commands. 

 

config system admin
	edit admin
		set two-factor email
	next
end
If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

View solution in original post

If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
4 REPLIES 4
AEK
SuperUser
SuperUser

Hello

Yes, just create multiple nominative users.

Actually the good practice is never share one account with many admins (at least for traceability), each admin has his own account. Other very serious companies even disable admin account.

AEK
AEK
vikhral10
New Contributor

works great, authlite was the best true 2fa we found. Administration is easy. Essentially your User account used for DA wont have DA privilege's until you sign in with your 2fa (yubikey) once successful you're granted DA. We also did this with our LocalserverAdmin groups as well.

https://omegle.onl/ vshare
ozkanaltas
Valued Contributor III

Hello @MadDog_2023 ,

 

Firstly, I agree with @AEK. You should create more than one admin account on your FortiGate for traceability. 

 

But if you don't want this. You can use email as a 2FA or you can configure a remote radius admin user on your FortiGate. After that, you can control the 2FA option on the Radius server. 

 

If you want to use email as 2FA. You can use these commands. 

 

config system admin
	edit admin
		set two-factor email
	next
end
If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
MadDog_2023

Thanks guys for you replies.

 

@ozkanaltas thanks heaps.

Exactly what I was after. 

The full command set was:

 

config system admin
edit admin
set two-factor email

set email-to address@company.com
next
end

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors