Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Umesh
Contributor

Created on ‎07-18-2023 10:31 AM

Email based two factor authentication || authentication method Radisu Server ||

Hi All,

Today I have configured successfully email based authentication for Forticlient VPN and when I configure using Local user that time I am getting authentication code.

 

I want, the user type must be Radius user not Local user.

User must be authenticate using Radius server.local.JPG

Can anyone guide how can I achieve this things.

Please refer the snapshot.

 

 

local user.JPG

 

 

Labels:
5262
0 Kudos
2 Solutions
npariyar
Staff
Staff

Created on ‎07-21-2023 03:09 AM Edited on ‎07-21-2023 03:11 AM

Hi Umesh,

 

To enable 2FA for the radius users or any remote authentication server, the user must be preset on the fortigate as a User Type radius/tacacs+ /ldap. Once the user is preset on the FortiGate you can enable 2 FA as the below configuration:

config user local
edit "admin"
set type radius
set two-factor email
set email-to "admin@gmail.com"
set radius-server "RAD-TEST"
next
end

 

Here "RAD-TEST" is a radius server

 

Regards

Niroj Pariyar

View solution in original post

5142
0 Kudos
pminarik
Staff
Staff

Created on ‎07-21-2023 12:36 PM Edited on ‎07-21-2023 12:39 PM

I see various contradictory, or semi-contradictory, statements in here, so let's clear things once and for all.

 

1, email 2FA

FortiGate supports email 2FA for locally defined users (=explicitly listed in config user local). Their type is irrelevant - can be local/LDAP/RADIUS/...

The only catch is that email-type 2FA must first be configured via CLI. Once you do this, the option will become visible in the GUI, for that user.
Of course, do not forget to configure an email server and make sure that the FortiGate is able to send emails. Follow this KB article for the initial email 2FA setup - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Email-Two-Factor-Authentication-on-FortiGa...

 

2, RADIUS-type users

If the user is of RADIUS type, then indeed their password will be checked for validity against the RADIUS server, not compared with anything local on the FortiGate itself. As a matter of fact you cannot even configure a local password for a RADIUS user. (but compare this with individual admin users, who do have a configurable "backup password", which is used exclusively only when the RADIUS server isn't responding)

A RADIUS user will show as "User Type Remote RADIUS User" in the GUI, or set type radius in the CLI.

Note that you cannot switch an existing user from one type to another. If you already have a local-type "user-x", in order to change them to RADIUS type you will need to first delete the existing user and then recreate it as a remote RADIUS user.

[ corrections always welcome ]

View solution in original post

5044
15 REPLIES 15
pgautam
Staff
Staff

Created on ‎07-19-2023 07:33 AM Edited on ‎07-19-2023 07:34 AM

Hi Umesh,

 

Greetings of the day!

 

To enable MFA for the radius user first add the user locally and then enabled email as two-factor authentication. For reference check the below screen-shot

radius.PNG

usercalled.png

 

MFA.PNG

 

Regards

Priyanka

4282
0 Kudos
Umesh
Contributor

Created on ‎07-19-2023 11:33 PM

Hi Priyanka,

 

Thanks for sharing this snapshot, but the problem is how can we configure 2F email based authentication under authentication type.

 

Regards,

umesh

4264
0 Kudos
ebilcari
Staff
Staff
In response to Umesh

Created on ‎07-20-2023 08:30 AM

The email field there is used to send the token activation procedure and not to do the 2FA via email for that user.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
4248
0 Kudos
npariyar
Staff
Staff

Created on ‎07-21-2023 03:09 AM Edited on ‎07-21-2023 03:11 AM

Hi Umesh,

 

To enable 2FA for the radius users or any remote authentication server, the user must be preset on the fortigate as a User Type radius/tacacs+ /ldap. Once the user is preset on the FortiGate you can enable 2 FA as the below configuration:

config user local
edit "admin"
set type radius
set two-factor email
set email-to "admin@gmail.com"
set radius-server "RAD-TEST"
next
end

 

Here "RAD-TEST" is a radius server

 

Regards

Niroj Pariyar
5143
0 Kudos
Umesh
Contributor
In response to npariyar

Created on ‎07-21-2023 08:39 AM Edited on ‎07-21-2023 08:39 AM

Hi Niroj,

 

I have one query like when user will try to access network then will it authenticate using local password or radius server.

 

Thanks

4220
0 Kudos
Umesh
Contributor
In response to Umesh

Created on ‎07-21-2023 08:43 AM

Hi Niroj,

 

I am sending snapshot, hope you will understand how I want to configure two factor email based authentication using radius server.

1.JPG2.JPG

4218
0 Kudos
ebilcari
Staff
Staff
In response to Umesh

Created on ‎07-21-2023 09:00 AM Edited on ‎07-23-2023 12:03 AM

You will need another product for that like FortiAuthenticator for example. There is a difference between token Delivery method and Activation method.
In FortiGate the SMS and email are used for activation. I'm sharing a snapshot from the configuration in FortiAuthenticator:

 

tokens.PNG

from FGT:

fgt-act.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
4214
0 Kudos
pminarik
Staff
Staff
In response to ebilcari

Created on ‎07-21-2023 12:42 PM

FortiGate doesn't support 2FA with token delivery via email. 

 

This statement is incorrect, please refer for example to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Email-Two-Factor-Authentication-on-FortiGa...

[ corrections always welcome ]
4200
ebilcari
Staff
Staff
In response to pminarik

Created on ‎07-23-2023 01:49 AM Edited on ‎07-23-2023 01:54 AM

You are right, that was new to me too :). I test it in a lab and it's working normally in 7.2.4 after adding it from the CLI from a LDAP user in this case:

config user local
edit "beni"
set type ldap
set two-factor email
set email-to "beni@eb.eu"
set ldap-server "DC01-x"

the test:

GW # diagnose test authserver ldap DC01-x beni xxxxx
Token Code:******
authenticate 'beni' against 'DC01-x' succeeded!

the email content send by FGT: Your authentication token code is 8xxxxx. 
Same result while using a local user:

 

config user local
edit "test2FAmail"
set type password
set two-factor email
set email-to "test2fmail@eb.eu"
set passwd-time 2023-07-23 08:55:03
set passwd ENC xxxx

the test:

GW # diagnose test authserver local Local test2FAmail test123
Token Code:******
authenticate user 'test2FAmail' in group 'Local' succeeded   
- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
4166
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.