Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
andrewbattersby
New Contributor

ZTNA with 2FA (fortitokens)

Is it not possible to use 2FA (Fortitokens) when using Fortinet's EMS with ZTNA solution?  

 

When I enable 2FA for the SSL-VPN it seems to just freeze and doesn't allow me to connect using the Forticlient. 

If I remove the ZTNA solution and just use the free Forticlient for basic VPN then the 2FA works fine.

 

Thanks

3 REPLIES 3
gfleming
Staff
Staff

Can you help clarify your issue? ZTNA does not require SSL VPN connectivity to work. But are you saying with ZTNA enabled your SSL VPN connectivity stops working?

Cheers,
Graham
andrewbattersby
New Contributor

Thanks for the reply.


SSL-VPN works fine but only with 2FA disabled.

 

I can use a ZTNA enabled client with the Fortinet EMS server fine. It connects fine with web filtering, anti virus etc all enabled. One of the profiles is also remote access so it downloads the SSL-VPN details.


The SSL-VPN will connect as long as I don't have 2FA enabled on the Fortigate itself. If I enable it then the client goes through the motions but just freezes on the token screen.

If I enter the same SSL-VPN details onto another PC which doesn't have the ZTNA client, it just has the SSL-VPN but still using the forticlient software then it connects fine using exactly the same username/password with the 2FA details.

I hope that makes some sense

 

Thanks!

gfleming

Sounds like possibly some naming confusion here. I just want to clarify:

 

ZTNA is an access method whereby internal apps are accessed via HTTPS tunnel (without requiring SSL VPN connectivity). Are you using ZTNA?

 

FortiClient VPN is the free VPN Client from Fortinet


FortiClient is the licensed VPN client from Fortinet and requires a connection to a FortiClient EMS server.

 

You can run FortiClient and EMS without using ZTNA. ZTNA is one feature out of many included with FortiClient EMS.

 

So, with that out of the way can we simplify your problem as being "SSL VPN with 2FA works on FortiClient VPN but does not work with full featured FortiClient"?

 

If so, can you tell me what versions of each FortiClient VPN and FortiClient app you are using? Are the PCs both running same OS and same version?

 

On the FortiClient app you can collect logs using the diagnostic tool" https://docs.fortinet.com/document/forticlient/7.0.7/administration-guide/748524/diagnostic-tool

 

Do you see any interesting messages there?

Cheers,
Graham
Labels
Top Kudoed Authors