Hi All,
There is a FortiGate 60E.
I set up MFA the way shown on the screenshot.
The drawback of this method is that it requires FortiToken Mobile.
It means if I'm not available nobody can access the router.
Is it possible to set up MFA for admin access in some other way that wouldn't be linked to someone mobile device?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello @MadDog_2023 ,
Firstly, I agree with @AEK. You should create more than one admin account on your FortiGate for traceability.
But if you don't want this. You can use email as a 2FA or you can configure a remote radius admin user on your FortiGate. After that, you can control the 2FA option on the Radius server.
If you want to use email as 2FA. You can use these commands.
config system admin
edit admin
set two-factor email
next
end
Hello
Yes, just create multiple nominative users.
Actually the good practice is never share one account with many admins (at least for traceability), each admin has his own account. Other very serious companies even disable admin account.
works great, authlite was the best true 2fa we found. Administration is easy. Essentially your User account used for DA wont have DA privilege's until you sign in with your 2fa (yubikey) once successful you're granted DA. We also did this with our LocalserverAdmin groups as well.
Hello @MadDog_2023 ,
Firstly, I agree with @AEK. You should create more than one admin account on your FortiGate for traceability.
But if you don't want this. You can use email as a 2FA or you can configure a remote radius admin user on your FortiGate. After that, you can control the 2FA option on the Radius server.
If you want to use email as 2FA. You can use these commands.
config system admin
edit admin
set two-factor email
next
end
Created on 03-06-2024 02:22 AM Edited on 03-06-2024 02:23 AM
Thanks guys for you replies.
@ozkanaltas thanks heaps.
Exactly what I was after.
The full command set was:
config system admin
edit admin
set two-factor email
set email-to address@company.com
next
end
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.