Hello team!!!
Is there a way to enable 2 factor authentication for admins with other than local Users?
As suggested by Fortinet, I created an AD group, added the AD Group to the local group, and added the local group as admin in System->Administrators
With local users I have the "Two factor authentication" option in the gui, but this option is not available with this group, also tried to configure two factor autentication from the cli but "set two-factor" is not possible with this group.
Any suggestion?
Regards,
Damián
Solved! Go to Solution.
We might have sent you in the wrong direction.
This is how you can configure and assign tokens to remote LDAP admin.
If you're using vdoms, you have to be in global for this. Group and server in root vdom.
fortinet is my samaccountname, and I'm able to auth with this as admin. 2fa enabled also.
fortigate # config global
fortigate (global) # config system admin
fortigate (admin) # edit fortinet
fortigate (fortinet) #
config system admin
edit "fortinet"
set remote-auth enable
set accprofile "super_admin"
set vdom "root"
set two-factor fortitoken
set fortitoken "FTKMOB1A914XXXXX"
set email-to "fortinet@bogusinc.local"
set remote-group "bogusinc-LDAP-GROUP"
set password ENC
next
end
fortigate (root) show user ldap LDAPS-bogusinc.local2012r2ldap
config user ldap
edit "LDAPS-bogusinc.local2012r2ldap"
set server "10.5.23.153"
set server-identity-check disable
set cnid "sAMAccountName"
set dn "DC=bogusinc,DC=local"
set type regular
set username "Administrator@bogusinc.local"
set password ENC
set secure ldaps
set ca-cert "CA_Cert_2"
set port 636
next
end
fortigate (root) # show user group bogusinc-LDAP-GROUP
config user group
edit "bogusinc-LDAP-GROUP"
set member "bogusinc.local2012r2ldap"
config match
edit 1
set server-name "bogusinc.local2012r2ldap"
set group-name "CN=Domain Users,CN=Users,DC=bogusinc,DC=local"
next
end
next
end
Let me know if this helps.
- Have you found a solution? Then give your helper a "Like" and mark the solution.
Hi Damián,
You can define AD user on the firewall and enable 2fa.
config user local
edit "fortinet"
set type ldap
set two-factor
...
I'm not aware of any other method on the firewall.
If you don't want that, you can auth the admin externally over radius using a FAC, for instance. Here you can enable 2fa also.
This is LDAP example, but I think you can adapt it for radius easily:
https://docs.fortinet.com/document/fortigate/6.2.12/cookbook/747268/configuring-wildcard-admin-accou...
Or you can try SAML and 2fa will be handled by your IDP (FAC or other IDP provider).
https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-SAML-admin-authentication/ta-p/195402
- Have you found a solution? Then give your helper a "Like" and mark the solution.
Hello cchiriches, thanks for your answer.
About the first suggestion, I dont understand how to associate this local user with an AD user, in the "edit username" I dont have any option to do this (I used "show full-configuration")
About the wilcard admin accounts, this is alike what I did before, this does not support 2FA
It seems we will not use the other methods, they asked now to authenticate only with AD.
Any Idea?
Thanks in advance.
Regards,
Damian
You can try to import/create a remote LDAP user under User & Authentication> User Definition> Create New> User Type [Remote LDAP User] > Next > (Select user) > right click [Add Selected]
(same result as explained on the previous comment from the CLI)
After that you can assign a token and make it part of the Admin group you created.
Hello ebilcari, thanks for your answer
I just tested, this does not work, allowed me to access but without 2FA, just the password required.
Any other idea?
Regards,
Damián
We might have sent you in the wrong direction.
This is how you can configure and assign tokens to remote LDAP admin.
If you're using vdoms, you have to be in global for this. Group and server in root vdom.
fortinet is my samaccountname, and I'm able to auth with this as admin. 2fa enabled also.
fortigate # config global
fortigate (global) # config system admin
fortigate (admin) # edit fortinet
fortigate (fortinet) #
config system admin
edit "fortinet"
set remote-auth enable
set accprofile "super_admin"
set vdom "root"
set two-factor fortitoken
set fortitoken "FTKMOB1A914XXXXX"
set email-to "fortinet@bogusinc.local"
set remote-group "bogusinc-LDAP-GROUP"
set password ENC
next
end
fortigate (root) show user ldap LDAPS-bogusinc.local2012r2ldap
config user ldap
edit "LDAPS-bogusinc.local2012r2ldap"
set server "10.5.23.153"
set server-identity-check disable
set cnid "sAMAccountName"
set dn "DC=bogusinc,DC=local"
set type regular
set username "Administrator@bogusinc.local"
set password ENC
set secure ldaps
set ca-cert "CA_Cert_2"
set port 636
next
end
fortigate (root) # show user group bogusinc-LDAP-GROUP
config user group
edit "bogusinc-LDAP-GROUP"
set member "bogusinc.local2012r2ldap"
config match
edit 1
set server-name "bogusinc.local2012r2ldap"
set group-name "CN=Domain Users,CN=Users,DC=bogusinc,DC=local"
next
end
next
end
Let me know if this helps.
- Have you found a solution? Then give your helper a "Like" and mark the solution.
Yes, finally worked!!
Thanks cchiriches, this was the solution
User | Count |
---|---|
2677 | |
1412 | |
810 | |
703 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.