Configure FortiGate VPN Two-Factor Authentication
Overview
The article shows how to configure two-factor authentication for FortiGate VPN client connections.
Available authentication methods:
SMS
Hardware OTP tokens
OTP applications: Google Authenticator or Yandex. Key
Telegram
Multifactor mobile application (soon)
Prerequisites: Install and configure MultiFactor Radius Adapter to allow two-factor authentication.
Operation Principle
- The user connects to the VPN with the Forticlient login and password.
- FortiGate connects to MultiFactor Radius Adapter component via RADIUS protocol.
- The component verifies the user's login and password with Active Directory or Network Policy Server and requests the second authentication factor.
- The user confirms the access request with the selected Multifactor authentication method or with a one-time passcode in Forticlient client.
Configuring FortiGate
Open the FortiGate management console.
Configuring the RADIUS server
Under User & Device > Authentication > RADIUS Servers, set the RADIUS settings:
- Name: MFA_Radius
- Primary Server IP/Name: MultiFactor Radius Adapter component address.
- Primary Server Secret: Shared Secret from component settings
- Authentication method: PAP
Setting up a user group
Under User & Device > User > User Group, create an SSL VPN Users group and add MFA_Radius into Remote Servers.
Access Policy Configuration
Under Policy & Objects > Policy > IPv4, create a new policy for SSL VPN users to access the internal network:
- Incoming interface: ssl.root (SSL VPN interface)
- Source Users: SSL VPN Users
See also: