Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
daniel_anderson
New Contributor

Two-Factor Autentication - FortiGate 500E

Good Morning Everyone,

 

My 2 questions are hopefully very simple and probably a duplication of questions previously asked...

 

1. Are the FortiTokens still the valid way to handle Two-Factor Authentication with FortiGate products for SSL VPN

2. I'm testing with the 2 free tokens. If access to the VPN is granted through an Active Directory group, the VPN does not ask for the FortiToken. If a user is granted access to the VPN using only their users, the FortiToken is required. Any ideas?

 

All the best,

 

Dan

1 Solution
Yurisk
Valued Contributor

To enable MFA with Fortitokens and LDAP users I see 2 ways:

[ol]
  • As per Fortinet docs - create local users with exact same name as in LDAP and assign Fortitokens to them. In such case Fortigate does NOT store password of a user locally - just its name, all authenticaiton is against LDAP. https://kb.fortinet.com/kb/documentLink.do?popup=true&externalID=FD36413&languageId=
  • Use MS Radius (NPS, that plugs into your DC) instead of direct LDAP connection. It works with FortiAuthenticator as well as any 3rd party vendor like DUO etc. https://kb.fortinet.com/kb/documentLink.do?popup=true&externalID=FD36413&languageId= [/ol]
  • Yuri
    https://yurisk.info/ blog: All things Fortinet, no ads.


    All opinions are mine only.

    View solution in original post

    2 REPLIES 2
    Patel
    New Contributor III

    Hi,

    Here are answers to your questions:

    1.) Yes, FortiTokens is still the valid way to handle Two-Factor Authentication with FortiGate products for SSL VPN.

    2.) If access to the VPN is granted through an Active Directory group, the VPN does not ask for the FortiToken. 

    - Make sure that the user group you are mapping to the portal does not include mixed users(Some with 2 FA enabled and some without 2FA).

    - Only users with 2FA enabled should be in that group. Please check that and let me know if that still does not work.

     

    Regards,

    Patel

    Yurisk
    Valued Contributor

    To enable MFA with Fortitokens and LDAP users I see 2 ways:

    [ol]
  • As per Fortinet docs - create local users with exact same name as in LDAP and assign Fortitokens to them. In such case Fortigate does NOT store password of a user locally - just its name, all authenticaiton is against LDAP. https://kb.fortinet.com/kb/documentLink.do?popup=true&externalID=FD36413&languageId=
  • Use MS Radius (NPS, that plugs into your DC) instead of direct LDAP connection. It works with FortiAuthenticator as well as any 3rd party vendor like DUO etc. https://kb.fortinet.com/kb/documentLink.do?popup=true&externalID=FD36413&languageId= [/ol]
  • Yuri
    https://yurisk.info/ blog: All things Fortinet, no ads.


    All opinions are mine only.
    Top Kudoed Authors