Description
This article describes how to restrict VPN access with two-factor and LDAP authentication.
Scope
FortiGate.
Solution
- Configure FortiGate to LDAP link.
For more details on How to configure FortiGate to use an LDAP server do not forget to validate the connection status successfully with the green checkmark.
-
Import user from LDAP as 'local' user.User and authentication -> User Definition -> Create New.
-
Assign a FortiToken to the imported LDAP user, an activation code will be sent to the email address.
-
Create a Local User Group.
- Add LDAP users that have FortiTokens assigned.
- The 'Remote Group' option is not needed.
-
Add the 'Remote Access' group to the SSL VPN setting Authentication Portal Mapping as required.
-
Configure Firewall Policy for SSL VPN users.
To activate FortiToken Mobile:
Download and install the FortiToken Mobile app on the mobile device from the appropriate app store (App Store for iOS or Google Play Store for Android).
Receiving the activation code:
An email or SMS message will be sent containing the activation code and QR code
Option 1: Scanning QR code. Open the FortiToken Mobile app. Tap the '+' icon in the top right corner and select 'Scan QR code'. Scan the received QR code.
Option 2: Manually entering the activation code.
Open the FortiToken Mobile app, Tap the "+" icon in the top right corner, and select 'Enter manually'. Select 'Fortinet Account' and enter the email address and the activation code received.
Completing the activation:
After scanning the QR code or entering the activation code, the app will generate a six-digit verification code.
Enter this code into the VPN to complete the 2-factor authentication.
