FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
tnaik
Staff
Staff
Article Id 194023
Description
This article explains how to configure Forticlient SSLVPN using email two-factor authentication.

Scope
The advantage of this solution is that FortiToken license is not required in order to generate tokens and send it to users.

The disadvantage is that this solution requires the user to have internet connectivity and access to email during the authentication attempt.
Therefore, depending on other configurations, this is not an appropriate solution for captive portals or dial-up IPsec authentication.



Solution
Configure the SMTP server.

For version 5.6 and 6.0:
Go to System -> Advanced.

For version 6.2:
Go to System -> Settings.


From the GUI:



From the CLI:
# config system email-server
    set reply-to {Sender_email_address}
    set server {SMTP_server_FQDN/IP}
    set port {SMTP_server_port_number}
    set authenticate {enable | disable}
    set username {username}
    set password {password_string}
    set security {none | starttls | smtps}
End
Create user.

NOTE:
Email based two-factor authentication can only be enabled via CLI.

Example shown for Local user:
# config user local
  
  edit "guest"
        set type password
        set two-factor email
        set email-to "guest@outlook.com
        set passwd ENC Fie9gxr7BS8GVFPZc2B5HtDuF9nt+81fw2W84I+BPLgH5nBxRC99


To configure SSLVPN check the below URL:


Connect to Forticlient VPN.
once logged to Forticlient VPN, token will prompt on same screen.
See the below screenshot for reference .




Verification.

To check authentication process:
# diag debug reset
# diag debug application fnbamd -1
# diag debug enable
Debugging of token delivery via email:
# diag debug reset
# diag debug application alertmail -1
# diag debug enable

Contributors