Fortinet vpn mfa

Fortinet vpn mfa DEFAULT

Fortinet FortiGate SSL VPN with RADIUS Auto Push


Was this page helpful? Let us know how we can make it better.

Duo integrates with your Fortinet FortiGate SSL VPN to add two-factor authentication to FortiClient VPN access.


To integrate Duo with your Fortinet FortiGate SSL VPN, you will need to install a local proxy service on a machine within your network. This Duo proxy server also acts as a RADIUS server — there's usually no need to deploy a separate additional RADIUS server to use Duo.

Once configured, Duo sends your users an automatic authentication request via Duo Push notification to a mobile device or phone call after successful primary login.

This configuration doesn't support inline self-service enrollment. You'll need to create your users in Duo ahead of time using one of our other enrollment methods, like directory sync or CSV import. Read the enrollment documentation to learn more.

Connectivity Requirements

This application communicates with Duo's service on TCP port 443. Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review this Duo KB article.

First Steps

Before moving on to the deployment steps, it's a good idea to familiarize yourself with Duo administration concepts and features like options for applications, and Duo policy settings and how to apply them. You'll need to pre-enroll your users in Duo using one of our available methods before they can log in using this configuration. See all Duo Administrator documentation.

You should already have a working primary authentication configuration for your Fortinet FortiGate SSL VPN users before you begin to deploy Duo.

To integrate Duo with your Fortinet FortiGate SSL VPN, you will need to install a local Duo proxy service on a machine within your network. This Duo proxy server will receive incoming RADIUS requests from your Fortinet FortiGate SSL VPN, contact your existing local LDAP/AD or RADIUS server to perform primary authentication if necessary, and then contact Duo's cloud service for secondary authentication.

Locate (or set up) a system on which you will install the Duo Authentication Proxy. The proxy supports these operating systems:

  • Windows Server 2012 or later (Server 2016+ recommended)
  • CentOS 7 or later (CentOS 8+ recommended)
  • Red Hat Enterprise Linux 7 or later (RHEL 8+ recommended)
  • Ubuntu 16.04 or later (Ubuntu 18.04+ recommended)
  • Debian 7 or later (Debian 9+ recommended)

Then you'll need to:

  1. Sign up for a Duo account.
  2. Log in to the Duo Admin Panel and navigate to Applications.
  3. Click Protect an Application and locate Fortinet FortiGate SSL VPN in the applications list. Click Protect to get your integration key, secret key, and API hostname. You'll need this information to complete your setup. See Protecting Applications for more information about protecting applications in Duo and additional application options.

Treat your secret key like a password

The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!

Install the Duo Authentication Proxy

The Duo Authentication Proxy can be installed on a physical or virtual host. We recommend a system with at least 1 CPU, 200 MB disk space, and 4 GB RAM (although 1 GB RAM is usually sufficient).

  1. Download the most recent Authentication Proxy for Windows from Note that the actual filename will reflect the version e.g. duoauthproxy-5.5.0.exe. View checksums for Duo downloads here.
  2. Launch the Authentication Proxy installer on the target Windows server as a user with administrator rights and follow the on-screen prompts.

To perform a silent install on Windows, issue the following from an elevated command prompt after downloading the installer (replacing version with the actual version you downloaded):

  1. Ensure that Perl and a compiler toolchain are installed. On most recent RPM-based distributions — like Fedora, RedHat Enterprise, and CentOS — you can install these by running (as root):

    On Debian-derived systems, install these dependencies by running (as root):

  2. Download the most recent Authentication Proxy for Unix from Depending on your download method, the actual filename may reflect the version e.g. duoauthproxy-5.5.0-src.tgz. View checksums for Duo downloads here.

  3. Extract the Authentication Proxy files and build it as follows:

  4. Install the authentication proxy (as root):

    Follow the prompts to complete the installation. The installer creates a user to run the proxy service and a group to own the log directory and files. You can accept the default user and group names or enter your own.

If you ever need to uninstall the proxy, run .

Configure the Proxy

After the installation completes, you will need to configure the proxy.

The Duo Authentication Proxy configuration file is named authproxy.cfg, and is located in the conf subdirectory of the proxy installation. With default installation paths, the proxy configuration file will be located at:

Operating SystemAuthentication
Proxy Version
Windowsv5.0.0 and later
Windowsv4.0.2 and earlier

Note that as of v4.0.0, the default file access on Windows for the directory is restricted to the built-in Administrators group during installation.

The configuration file is formatted as a simple INI file. Section headings appear as:

Individual properties beneath a section appear as:

The Authentication Proxy may include an existing authproxy.cfg with some example content. For the purposes of these instructions, however, you should delete the existing content and start with a blank text file. We recommend using WordPad or another text editor instead of Notepad when editing the config file on Windows.

Configure the Proxy for Your Primary Authenticator

In this step, you'll set up the Proxy's primary authenticator — the system which will validate users' existing passwords. Determine which type of primary authentication you'll be using, and create either an Active Directory/LDAP client section, or a RADIUS section as follows.

Active Directory

To use Active Directory/LDAP as your primary authenticator, add an section to the top of your config file. Add the following properties to the section:

The hostname or IP address of your domain controller.

The username of a domain account that has permission to bind to your directory and perform searches. We recommend creating a service account that has read-only access.

The password corresponding to . If you're on Windows and would like to encrypt this password, see Encrypting Passwords in the full Authentication Proxy documentation.

The LDAP distinguished name (DN) of an Active Directory container or organizational unit (OU) containing all of the users you wish to permit to log in. For example:

The hostname or IP address of a secondary/fallback domain controller. You can add additional domain controllers as , , etc.

To further restrict access, specify the LDAP distinguished name (DN) of a security group that contains the users who should be able to log in as direct group members. Nested groups are not supported. Users who are not direct members of the specified group will not pass primary authentication. Example:

Starting with Authentication Proxy v3.2.0, the may be the DN of an AD user's . Prior versions do not support primary groups.

LDAP attribute found on a user entry which will contain the submitted username. In most Active Directory configurations, it should not be necessary to change this option from the default value. OpenLDAP directories may use "uid" or another attribute for the username, which should be specified with this option.

Default: "sAMAccountName"

For example:

For advanced Active Directory configuration, see the full Authentication Proxy documentation.


To use RADIUS as your primary authenticator, add a section to the top of your config file. Then add the following properties to the section:

The IP address of your RADIUS server. You can add backup servers with , , etc.

A secret to be shared between the Authentication Proxy and your existing RADIUS server. If you're on Windows and would like to encrypt this secret, see Encrypting Passwords in the full Authentication Proxy documentation.

The authentication port on your RADIUS server. Use , , etc. to specify ports for the backup servers.


If this option is set to , all RADIUS attributes set by the primary authentication server will be copied into RADIUS responses sent by the proxy.


For example:

In addition, make sure that the RADIUS server is configured to accept authentication requests from the Authentication Proxy.

For advanced RADIUS configuration, see the full Authentication Proxy documentation.

Configure the Proxy for Your Fortinet FortiGate SSL VPN

Next, we'll set up the Authentication Proxy to work with your Fortinet FortiGate SSL VPN. Create a section and add the properties listed below. If you've already set up the Duo Authentication Proxy for a different RADIUS Auto application, append a number to the section header to make it unique, like .

Your Duo integration key, obtained from the details page for the application in the Duo Admin Panel.

Your Duo secret key, obtained from the details page for the application in the Duo Admin Panel. If you're on Windows and would like to encrypt the skey, see Encrypting Passwords in the full Authentication Proxy documentation.

Your Duo API hostname (e.g. ), obtained from the details page for the application in the Duo Admin Panel.

The IP address of your Fortinet FortiGate SSL VPN. Only clients with configured addresses and shared secrets will be allowed to send requests to the Authentication Proxy.

A secret to be shared between the proxy and your Fortinet FortiGate SSL VPN. If you're on Windows and would like to encrypt this secret, see Encrypting Passwords in the full Authentication Proxy documentation.

The mechanism that the Authentication Proxy should use to perform primary authentication. This should correspond with a "client" section elsewhere in the config file.

Use Active Directory/LDAP for primary authentication. Make sure you have an section configured.

Use RADIUS for primary authentication. Make sure you have a section configured.

This parameter is optional if you only have one "client" section. If you have multiple, each "server" section should specify which "client" to use.

Port on which to listen for incoming RADIUS Access Requests. If you have multiple RADIUS server sections you should use a unique port for each one.


Either or :


The IP address of your second Fortinet FortiGate SSL VPN, if you have one. You can specify additional devices as as , , etc.

The secrets shared with your second Fortinet FortiGate SSL VPN, if using one. You can specify secrets for additional devices as , , etc. If you're on Windows and would like to encrypt this secret, see Encrypting Passwords in the full Authentication Proxy documentation.

A completed config file that uses Active Directory should look something like:

Make sure to save your configuration file when done.

Note: Fortinet devices default to RADIUS port 1812. If you configured the section to use a port other than 1812, use the command-line interface (CLI) to change the RADIUS port on your FortiGate (port 1814 shown in the following example).

Consult the FortiOS documentation for your device for more information about using the CLI.

Start the Proxy

Open an Administrator command prompt and run:

Alternatively, open the Windows Services console (), locate "Duo Security Authentication Proxy Service" in the list of services, and click the Start Service button.

Authentication Proxy v5.1.0 and later includes the executable, which shows the connectivity tool output when starting the service. The installer adds the Authentication Proxy to your system path automatically, so you should not need to specify the full path to to run it.

From an administrator command prompt run:

If the service starts successfully, Authentication Proxy service output is written to the authproxy.log file, which can be found in the subdirectory.

If you see an error saying that the "service could not be started", open the Application Event Viewer and look for an Error from the source "DuoAuthProxy". The traceback may include a "ConfigError" that can help you find the source of the issue.

Stop and restart the Authentication Proxy service by either clicking the Restart Service button in the Windows Services console or issuing these commands from an Administrator command prompt:

To stop and restart the Authentication Proxy using authproxyctl, from an administrator command prompt run:

Open a root shell and run:

To ensure the proxy started successfully, run:

Authentication Proxy service output is written to the authproxy.log file, which can be found in the subdirectory.

To stop and restart the Authentication Proxy, open a root shell and run:

If you modify your configuration after initial setup, you'll need to stop and restart the Duo Authentication Proxy service or process for your change to take effect.

Configure Your Fortinet FortiGate SSL VPN

Add a RADIUS Server

  1. Log in to the Fortinet FortiGate administrative interface.
  2. Click the User & Device section in the left navigation panel and navigate to Authentication → RADIUS Servers.
  3. Click the Create New button to create a new RADIUS server.
  4. On the New RADIUS Server page, enter the following information:

    NameDuo RADIUS
    Primary Server Name/IPThe IP address or FQDN of your Duo RADIUS proxy
    Primary Server SecretThe RADIUS secret configured on your Duo RADIUS proxy
    Authentication SchemeClick the "Specify Authentication Protocol" radio button and select PAP from the drop-down menu
    Add New Duo RADIUS Server
  5. Click the OK button to create the new RADIUS server.

Configure a User Group

  1. Click the User & Device section in the left navigation panel and navigate to User → User Groups.
  2. If you have an existing user group, click on it to edit its settings. If you don't yet have a user group, click Create New to create one.
  3. On the Edit User Group or New User Group page, enter the following information:

    NameDuo SSL VPN
  4. Click the Create New button in the Remote groups section and select the Duo RADIUS remote server. You do not have to specify a group.

    Add Duo Remote Server to User Group
  5. Click the OK button to save the user group settings.

Configure timeout

The Fortinet appliance has a default timeout of 5 seconds, which will fail for anything other than a passcode authentication. The timeout can be increased from the Fortinet command line interface to resolve the issue. Duo recommends increasing the timeout to at least 60 seconds

  1. Connect to the appliance CLI. Consult the documentation that accompanied your Fortinet device for more information.
  2. Execute the following commands:

Test Your Setup

Launch your FortiClient application or access the SSL VPN login page in your browser.

To test your setup, attempt to log in to your newly-configured system as a user enrolled in Duo with an authentication device.

When you enter your username and password, you will receive an automatic push or phone callback.

Alternatively you may add a comma (",") to the end of your password and append a Duo factor option:

push Perform Duo Push authentication. You can use Duo Push if you've installed and activated Duo Mobile on your device.
phonePerform phone callback authentication.
smsSend a new batch of SMS passcodes. Your authentication attempt will be denied. You can then authenticate with one of the newly-delivered passcodes.
A numeric passcodeLog in using a passcode, either generated with Duo Mobile, sent via SMS, generated by your hardware token, or provided by an administrator. Examples: "123456" or "2345678".

For example, if you wanted to use a passcode to authenticate instead of Duo Push or a phone call, you would enter:

If you wanted to use specify use of phone callback to authenticate instead of an automatic Duo Push request, you would enter:

You can also specify a number after the factor name if you have more than one device enrolled (as the automatic push or phone call goes to the first capable device attached to a user). So you can enter phone2 or push2 if you have two phones enrolled and you want the authentication request to go to the second phone.


Need some help? Review troubleshooting tips for the Authentication Proxy and try the connectivity tool included with Duo Authentication Proxy 2.9.0 and later to discover and troubleshoot general connectivity issues.

Also take a look at our Fortinet Knowledge Base articles or Community discussions. For further assistance, contact Support.

Network Diagram

  1. Primary authentication initiated to Fortinet Fortigate SSL VPN
  2. Fortinet Fortigate SSL VPN sends authentication request to Duo Security’s authentication proxy
  3. Primary authentication using Active Directory or RADIUS
  4. Duo authentication proxy connection established to Duo Security over TCP port 443
  5. Secondary authentication via Duo Security’s service
  6. Duo authentication proxy receives authentication response
  7. Fortinet Fortigate SSL VPN access granted

Configuring FortiClient VPN with multifactor authentication

This guide outlines how to integrate Azure multifactor authentication (MFA) to existing on-premise and cloud-based user authentication and VPN infrastructure.

This setup consists of the following components:

  • On-premise Windows Servers acting as Active Directory (AD) domain controllers with domain name "" configured
  • Two domain-joined network policy servers (NPS) for RADIUS service
  • Cloud-deployed FortiGate-VM spoke nodes with AD VPN connection to the FortiGate-VM hub node for centralized network service accessibility

When a remote VPN user starts FortiClient for VPN connection to any spoke node, the on-premise RADIUS service verifies the user credentials. Integrating Azure MFA to the existing on-premise NPS adds the following MFA methods to the legacy username and password pairs for user authentication:

  • Call to phone (wireless or landline phone numbers)
  • Text message to phone
  • Mobile app token
  • Mobile app notification

When the on-premise AD is synced to the Azure AD and NPS extension for Azure is integrated with the NPS, FortiClient VPN authentication flow results, as follows:

  1. FortiClient initiates a VPN connection request to the FortiGate-VM with username and password pairs.
  2. The FortiGate-VM sends a RADIUS access request message to NPS servers with several attribute value pairs (AVP) parameters, which includes username and encrypted password.
  3. The NPS server connects to the local AD for primary authentication for the RADIUS request, if all NPS policies are met.
  4. The local AD returns the authentication result to the NPS server. One of the following occurs:
    1. If the credentials are incorrect, the NPS server sends a RADIUS access rejection message to the FortiGate-VM. See step 9.
    2. If the credentials are correct, the NPS server forwards the request to the NPS extension.
  5. The NPS extension triggers a request to Azure MFA for secondary authentication. Azure MFA checks if the user has MFA enabled. One of the following occurs:
    1. If the user does not have MFA enabled, go to step 8.
    2. If the user has MFA enabled, go to step 6.
  6. Azure MFA retrieves the user details from Azure AD and performs the secondary authentication per the user's predefined methods, such as phone call, text message, mobile app notification, or mobile app one-time password. Azure MFA returns the challenge result to the NPS extension.
  7. The NPS server that has the extension installed sends a RADIUS message to the FortiGate-VM. One of the following occurs:
    1. If successful, a RADIUS access accept message is sent. Go to step 8.
    2. If unsuccessful, a RADIUS access reject message is sent. Go to step 9.
  8. The user access is granted and an encrypted VPN tunnel is established.
  9. The VPN connection from FortiClient is disconnected.

This setup requires the following prerequisites:

  • On-premise Windows domain controller and AD
  • On-premise RADIUS service provided by NPS
  • On-premise FortiGate at center, branch offices with Internet connections
  • Azure subscription
  • Azure MFA license
  • FortiGate-VMon the cloud. Spoke 1 and Spoke 2 have VPN connections to Hub 1 and Hub 2
  • Remote VPN users
  • Smartphone with Microsoft Authenticator installed

The following example uses the following settings:

  • FortiClient 6.0.9
  • FortiGate-600D with FortiOS 6.2.2
  • FortiGate-VM pay-as-you-go (PAYG) for Azure with FortiOS 6.2.2
  • Windows Server 2016, domain controller, domain-joined NPS
  • Azure PAYG-DevOps subscription
To configure FortiClient VPN with MFA:
  1. Sign in to the Azure portal as a global administrator for the Azure AD. Add your domain name to the Azure AD as a custom domain name so that your users can keep their sign-in username unchanged.
  2. Sign in to your on-premise domain controller as the domain administrator. Download and install the Azure AD connect tool to sync your domain users to Azure AD.
  3. Download and install the NPS extension to your on-premise NPS server.
  4. Add several usernames to your on-premise domain controller for testing purposes. All users should have dial-in control access through NPS network policy under Network Access Permission. This example adds the following users:

  5. Go to the Azure portal. Click Azure Active Directory > Users > Multi-Factor Authentication. Search and enable MFA for the users you created in step 5.
  6. Install Microsoft Authenticator on your smartphone.
  7. Sign in to as each account that you added in step 5. Enable a different MFA method for each user. This example configures the following:
    • Sign in as Alice Abbott and enable text message.
    • Sign in as Bob Baines and enable mobile app token.
    • Sign in as Carol Cooper and enable mobile app notification.
  8. Configure the on-premise NPS:
    1. Add the remote FortiGate-VM as a RADIUS client.

    2. Enable PAP as a RADIUS authentication method.
  9. Configure dialup VPN and the SSL VPN portal on the spoke FortiGate-VM with user authenticated against on-premise RADIUS/NPS.

Azure MFA with the RADIUS NPS extension deployment supports the following password encryption algorithms used between the RADIUS client (VPN, NetScaler server, and so on) and the NPS server:

  • PAP supports all Azure MFA authentication methods in the cloud: phone call, text, message, mobile app notification, and mobile app verification code.
  • CHAPv2 supports phone call and mobile app notifications.
  • This deployment does not support EAP.

When FortiOS authenticates a user against a remote RADIUS server, by default, it selects PAP for SSL VPN and MS-CHAPv2 for IPsec VPN. Users who have mobile app token configured as their MFA method may have trouble connecting to IPsec VPN because the mobile app notification or phone call verification may not reach them.

Select PAP for all RADIUS user authentication in your FortiGate-VM configuration:

  • For IPsec VPN, run in your phase1-interface configuration:

    config vpn ipsec phase1-interface

    edit "Dialup_RAS"

    set type dynamic

    set interface "port1"

    set mode aggressive

    set peertype any

    set net-device disable

    set mode-cfg enable

    set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

    set dpd on-idle

    set comments "VPN: Dialup_RAS (Created by VPN wizard)"

    set wizard-type dialup-forticlient

    set xauthtype pap

    set authusrgrp "Azure_MFA_Usergroup"

    set ipv4-start-ip

    set ipv4-end-ip

    set dns-mode auto

    set ipv4-split-include "Dialup_RAS_split"

    set save-password enable

    set client-auto-negotiate enable

    set client-keep-alive enable

    set psksecret Nobody_Knows

    set dpd-retryinterval 60



  • For RADIUS server settings, run and :

    config vpn ssl settings

    set servercert ""

    set idle-timeout 4800

    set tunnel-ip-pools "SSLVPN_Tunnel_172.31.7.0/24"

    set source-interface "port1"

    set source-address "all"

    set source-address6 "all"

    set default-portal "web-access"

    config authentication-rule

    edit 1

    set groups "Azure_MFA_Usergroup"

    set portal "0595363 SSLVPN Portal"




    config user group

    edit "Azure_MFA_Usergroup"

    set member "on-premises_NPS"



    config user radius

    edit "on-premises_NPS"

    set server ""

    set secret Nobody_Knows

    set timeout 30

    set nas-ip

    set auth-type pap

    set source-ip ""



To verify that MFA is configured correctly:

diagnose test authserver radius on-premises_NPS pap [email protected] <password>

Enter Your Microsoft verification code******

authenticate '[email protected]' against 'pap' succeeded, server=primary assigned_rad_session_id=1070819755 session_timeout=0 secs idle_timeout=0 secs!

diagnose test authserver radius on-premises_NPS pap [email protected] <password>

authenticate '[email protected]' against 'pap' succeeded, server=primary assigned_rad_session_id=1070819758 session_timeout=0 secs idle_timeout=0 secs!

  1. Jigsaw svg
  2. Karen lynch linkedin
  3. Sembo block lego

Two-Factor Authentication (2FA/MFA) for Fortinet Fortigate VPN

Fortinet Fortigate managed FortiClient can be used as a VPN Client (IPSec and SSL), an AV client and a host vulnerability scanner. Forticlient is used as the corporate AV solution and for VPN remote access. It works on Windows and Mac but there's no Linux version. If your user wants remote access to their office then FortiClient would be a good solution.

Enabling Two-Factor Authentication(2FA) for your Fortinet Fortigate managed active directory increases security and ensures users only have access to the systems and resources they need access to. When you enable 2FA, your users enter their username and password (first factor) as usual, and they have to enter an authentication code (the second factor) which will be shared on their virtual or hardware 2FA solution to get access to Forticlient VPN.

Types of 2FA Authentication with RADIUS

The 2-factor authentication can be of two types depending on the VPN clients.

  • VPN Clients that support RADIUS Challenge.
  • VPN Clients that do not support RADIUS Challenge.

miniOrange 2FA authentication for Fortinet Fortigate Login

miniOrange accomplishes this by acting as a RADIUS server that accepts the username/password of the user entered as a RADIUS request and validates the user against the user store as Active Directory (AD). After the first level of authentication, miniOrange prompts the user with 2-factor authentication and either grants/revokes access based on the input by the user.

MFA 2FA Two-Factor authentication for Fortinet

  1. Primary authentication initiates with the user submitting his Username and Password for Fortinet Fortigate.
  2. User request acts as an authentication request to RADIUS Server(miniOrange).
  3. miniOrange RADIUS server passes user credentials to validate against the credentials stored in AD (Active Directory) / Database.
  4. Once the user's first level of authentication gets validated AD sends the confirmation to RADIUS Server.
  5. Now miniOrange RADIUS Server asks for a 2-factor authentication challenge to the user.
  6. Here user submits the response/code which he receives on his hardware/phone.
  7. User response is checked at miniOrange’s RADIUS Server side.
  8. On successful 2nd factor authentication the user is granted access to login.

What are different 2FA/MFA methods for Fortinet Fortigate supported by miniOrange?

miniOrange supports multiple 2FA/MFA authentication methods for Fortinet Fortigate secure access such as, Push Notification, Soft Token, Microssoft / Google Authenticator etc.

Authentication TypeMethodSupported
miniOrange Authenticator Soft Token
miniOrange Push Notification
Mobile Token Google Authenticator
Microsoft Authenticator
Authy Authenticator
SMS with Link
EmailOTP Over Email
Email with Link
Call VerificationOTP Over Call
Hardware Token Yubikey Hardware Token
Display Hardware Token

You can opt for any of the 2FA methods to secure your Fortinet Fortigate. To integrate 2FA, you can enable RADIUS authentication in Fortinet Fortigate and configure policies in miniOrange to enable or disable 2FA for users.

Connect with any External Directories

miniOrange provides user authentication from various external directories such as miniOrange Directory, Microsoft AD, Azure Active Directory/LDAP, AWS Cognito and many more.

Can't find your Directory? Contact us on [email protected]

Video Setup Guide

Get Free Installation Help - Book a Slot

miniOrange offers free help through a consultation call with our System Engineers to Install or Setup Two-Factor Authentication for Fortinet Fortigate solution in your environment with 30-day trial.

For this, you need to just send us an email at [email protected] to book a slot and we'll help you setting it up in no time.

Enable Two-Factor Authentication (2FA)/MFA for Fortinet Fortigate Client to extend security level.

1. Add the Radius Client in miniOrange

  • Login into miniOrange Admin Console.
  • Go to Apps Click on Add Application button.
  • Add Fortinet Fortigate Radius Application

  • Choose RADIUS as Application type and click on Create App button.
  • 2FA Two-Factor authentication for Fortinet Fortigate : Create Radius Application

  • Click on Fortinet Fortigate application tab. If you don't find your application click on Radius Client application tab.
  • 2FA Two-Factor authentication for Fortinet Fortigate : Select your Radius Client

  • Configure the below details to add Radius Client.
  • Client Name:Any name for your reference.
    Client IP: IP address of VPN server which will send Radius authentication request.
    Shared Secret:Security key.
    For Eg. "sharedsecret"
    (Keep this with you, you will need to configure same on VPN Server).
    Include Password & OTP in same RequestCheck this option for clients which takes password and the OTP in same request. Otherwise keep it unchecked.
    Send Groups in ResponseEnable this to send user groups as Vendor-Specific Group Attributes.
  • Configure the following Policy details for the Radius Client.
  • Group Name:Group for which the policy will apply.
    Policy Name:Any Identifier that specifies policy name.
    Login MethodLogin Method for the users associated with this policy.
    Enable 2-Factor AuthenticationEnables Second Factor during Login for users associated with this policy.
    Enable Adaptive AuthenticationEnables Adaptive Authentication for Login of users associated with this policy.
  • After configuring the given above details, Click on Save button.
  • Configure Fortinet Fortigate App for 2FA Two-Factor Authentication

    NOTE: For On-Premise version follow the below steps before testing the connectivity.

    Only For On-Premise Version

    Step 1: Open Firewall Ports.

  • In order to receive the RADIUS request, it is necessary to open UDP traffic on ports 1812 and 1813 for the machine where On-Premise IdP is deployed.
  • If the hosting machine is a Windows Machine then you can follow this document.
  • If the hosting machine is a Linux Machine then you can follow this document.

  • NOTE: If your machine is hosted on AWS, then enable the ports from the AWS panel.

2. Add miniOrange as RADIUS Server in Fortinet FortiGate

  • Login to Fortinet FortiGate Admin console for the VPN application.
  • Go to User & Device >>RADIUS Servers in left navigation bar and click on Create New.
  • MFA 2FA two-factor authentication for Fortinet Fortigate : Switch to Radius Server

  • Here you need to configure the RADIUS Server.
  • MFA 2FA two-factor authentication for Fortinet Fortigate VPN App Radius server configuration

  • Configure details below to add Radius Server.
  • Name:Appropriate name.Eg: mo-radius-server
    Authentication Method:Click on Specify and then select PAP in the Dropdown.
    Primary Server IP / Name:For on-premise version: IP of server where IDP(miniOrange) is installed
    For cloud version: Contact us at [email protected] to get the IP
    Primary Server SecretSecret Key for the Fortinet (RADIUS) App defined in step 1
    Secondary Server IP / Name:Optional
    Secondary Server SecretOptional
  • To Save these settings click OK.

3. Test Fortinet Fortigate Connectivity

  • You can now verify the connectivity by clicking on Test Connectivity.
  • MFA 2FA two-factor authentication for Fortinet Fortigate : Test Fortigate Server Connectivity

4. Create a User Group in Fortinet Fortigate

  • NOTE: If you have a existing User Group then just add miniOrange Radius Server as the Remote Server. If not, then follow the below steps.
  • Select User & Device >> User >> User Groups.
  • To Create New group, Click on Create New.
  • MFA 2FA two-factor authentication for Fortinet Fortigate : Create User Group

  • Select Firewall in Type. Click on Add in the Remote Group Section and select miniOrange Radius Server as the Remote Server.
  • MFA 2FA two-factor authentication for Fortinet Fortigate : User Group Configuration

  • Click on Ok.

5. Set Up VPN in Fortigate Admin Console.

  • Firstly setup a SSL-VPN . Click here for more information.
  • Navigate to Policy & Objects >> IPV4 Policy.
    NOTE: In some cases, there will only Firewall Policy option instead of IPV4 Policy
  • Create/Edit the policy related to your SSL-VPN interface.
  • Edit the Source, add the required address space and the Group that we configured in Step 4.
  • MFA 2FA two factor authentication for Fortinet Fortigate  : Firewall Policy

  • Click OK to apply and save the settings.
  • Next, we will define Authentication/Portal Mapping.
  • Navigate to VPN >> SSL-VPN Settings, and then go to the Authentication/Portal Mapping section
  • Create a new or edit an existing mapping to grant access to the Firewall User Group that we created in Step 4.
  • MFA 2FA two factor authentication for Fortinet Fortigate : Authentication/Portal Mapping

  • Click Apply and save the settings.

6: Configure the Fortinet Timeout with miniOrange RADIUS server

  • Fortinet Fortigate default timeout is 5 Seconds, which is insufficient while setting up MFA. We have to reconfigure the timeout to 30 Seconds.
  • So connect to the appliance CLI.
  • And execute below commands in command line:
  • MFA 2FA two-factor authentication for Fortinet Fortigate : Command Line Interface

7. Configure Your User Directory (Optional)

miniOrange provides user authentication from various external sources, which can be Directories (like ADFS, Microsoft Active Directory, Azure AD, OpenLDAP, Google, AWS Cognito etc), Identity Providers (like Okta, Shibboleth, Ping, OneLogin, KeyCloak), Databases (like MySQL, Maria DB, PostgreSQL) and many more. You can configure your existing directory/user store or add users in miniOrange.

  • On miniOrange dashboard left side menu, click on User Stores >> Add User Store.
  •  2FA: Configure User Store

  • Select User Store type as AD/LDAP.
  •  2FA: Select AD/LDAP as user store

    1. STORE LDAP CONFIGURATION IN MINIORANGE: Choose this option if you want to keep your configuration in miniOrange. If active directory is behind a firewall, you will need to open the firewall to allow incoming requests to your AD.
    2. STORE LDAP CONFIGURATION ON PREMISE: Choose this option if you want to keep your configuration in your premise and only allow access to AD inside premises. You will have to download and install miniOrange gateway in your premise.
    3.  Two-Factor Authentication : Select ad/ldap user store type

  • Enter LDAP Display Name and LDAP Identifier name.
  • Select Directory Type as Active Directory.
  • Enter the LDAP Server URL or IP Address against LDAP Server URL field.
  • Click on Test Connection button to verify if you have made a successful connection with your LDAP server.
  •  MFA/2FA: Configure LDAP server URL Connection

  • In Active Directory, go to the properties of user containers/OU's and search for Distinguished Name attribute.
  •  MFA: Configure user bind account domain name

  • Enter the valid Bind account Password.
  • Click on Test Bind Account Credentials button to verify your LDAP Bind credentials for LDAP connection.
  •  MFA: Check bind account credentials

  • Search Base is the location in the directory where the search for a user begins. You will get this from the same place you got your Distinguished name.
  •  2FA : Configure user search base

  • Select a suitable Search filter from the drop down menu. To use custom Search Filter select "Custom Search Filter" option and customize it accordingly.
  •  MFA/2FA : Select user search filter

  • You can also configure following options while setting up AD. Enable Activate LDAP in order to authenticate users from AD/LDAP. Click on the Save button to add user store.
  •  MFA : Activate LDAP options

    Here's the list of the attributes and what it does when we enable it. You can enable/disable accordingly.

    Activate LDAPAll user authentications will be done with LDAP credentials if you Activate it
    Sync users in miniOrangeUsers will be created in miniOrange after authentication with LDAP
    Backup AuthenticationIf LDAP credentials fail then user will be authenticated through miniOrange
    Allow users to change passwordThis allows your users to change their password. It updates the new credentials in your LDAP server
    Enable administrator loginOn enabling this, your miniOrange Administrator login authenticates using your LDAP server
    Show IdP to usersIf you enable this option, this IdP will be visible to users
    Send Configured AttributesIf you enable this option, then only the attributes configured below will be sent in attributes at the time of login

  • Click on Save. After this, it will show you the list of User stores. Click on Test Configuration to check whether you have enter valid details. For that, it will ask for username and password.
  •  2FA: Test AD/Ldap connection

  • On Successful connection with LDAP Server, a success message is shown.
  • Click on Test Attribute Mapping.
  •  LDAP successful connection

  • Enter a valid Username. Then, click on Test. Mapped Attributes corresponding to the user are fetched.
  •  MFA: Fetch mapped attributes for user

  • After successful Attribute Mapping Configuration, go back to the ldap configuration and enable Activate LDAP in order to authenticate users from AD/LDAP.
  • Refer our guide to setup LDAPS on windows server.

    User Import and Provisioning from AD

  • Go to Settings in the Customer Admin Account.
  • MFA/Two-Factor Authentication(2FA) for Fortinet Fortigate  miniOrange dashboard

  • Enable the "Enable User Auto Registration" option and click Save.
  • MFA/Two-Factor Authentication(2FA) for Fortinet Fortigate  Enable User Auto Registration

  • (Optional) To send a welcome email to all the end users that will be imported, enable the "Enable sending Welcome Emails after user registration" option and click Save.
  • MFA/Two-Factor Authentication(2FA) for Fortinet Fortigate  Enable sending Welcome Emails after user registration

  • From the Left-Side menu of the dashboard select Provisioning.
  • MFA/Two-Factor Authentication(2FA) for Fortinet Fortigate  User Sync/Provisioning

  • In Setup Provisioning tab select Active Directory in the Select Application Drop Down.
  • Toggle the Import Users tab, click on Save button.
  • MFA/Two-Factor Authentication(2FA) for Fortinet Fortigate  User Sync Active Directory Configuration

  • On the same section, switch to Import Users section.
  • Select Active Directory from the dropdown and click on the Import Users tab, to import all the users from Active Directory to miniOrange.
  • MFA/Two-Factor Authentication(2FA) for Fortinet Fortigate  User Sync Import Operation

  • You can view all the Users you have imports by selecting Users >> User List from Left Panel.
  • MFA/Two-Factor Authentication(2FA) for Fortinet Fortigate  User List

  • All the imported users will be auto registered.
  • These groups will be helpful in adding multiple 2FA policies on the applications.

miniOrange integrates with various external user sources such as directories, identity providers, and etc.

8. Creating User Groups (Recommended)

  • This step involves Importing the user group from the Active Directory and Provisioning them.
  • Go to Provisioning. Switch to Setup Provisioning tab and select Active Directory from Dropdown menu.
  • MFA/Two-Factor Authentication(2FA) for Fortinet Fortigate : Select Active Directory (AD)

  • Select Group Provisioning/Deprovisioning tab, and toggle on Import Group option.
  • If you want to dynamically allocate users to the groups present in the miniOrange, then enable "Assign Users to groups"
  • Enter the Base DN for group sync and click Save.
  • MFA/Two-Factor Authentication(2FA) for Fortinet Fortigate : Switch on import Group

  • Now switch to Import Groups option and select Active Directory from which you want to import your users.
  • Finally, click on Import button. Your group will be imported.
  • MFA/Two-Factor Authentication(2FA) for Fortinet Fortigate : User group imported successfully

    (The Active Directory Group Provisioning (Sync) setup is done. Now, whenever a user is created or modified in LDAP server and if the Assign Users to groups is enabled, then user group attribute from the LDAP server will be automatically synced and the user group will be assigned or changed accordingly in miniOrange.)

9. Configure 2FA/MFA for End-Users

10. Add Another Policy (Optional)

  • Here, we will configure a policy for the User Group that we created in the Step 8 and associate it with the Fortinet Fortigate VPN Application.
  • Click on Policies tab >> App Login Policy.
  • MFA/Two-Factor Authentication(2FA) for Fortinet Fortigate  App Authentication Policy

  • Click on Add Policy tab.
  • In Application section, select the RADIUS App that we configured earlier in Step 1.
  • Select the required User Group in Group Name and enter the Policy name.
  • In this guide, we will configure a Password Only policy for "VPN_Group", so that only the VPN_Group members can access VPN Services without a Second Factor.
  • Once done with the policy settings, click on Save to Add Policy.
  • MFA/Two-Factor Authentication(2FA) for Fortinet Fortigate  App Add Policy

11. Test miniOrange 2FA setup for Fortinet VPN Login

12. Troubleshooting

  • Login to Admin dashboard and click on CLI icon (>_)
  • MFA 2FA Two-Factor Authentication for Fortinet Fortigate CLI Troubleshooting

Further References

Enable 2FA for SSL VPN in FortiGate

As a part of our continued efforts to provide technical guidance for our clients, a request was made recently as to whether or not we could provide a highly secure, multifactor authentication methodology for remote VPN users. Obviously, there are many choices available, but we found only one that had the scalability necessary to start off small and cost effective, and ultimately scale to hundreds if not thousands of users.

The article below has been written to demonstrate the authentication features of the Fortinet security appliance suite, specifically their flagship product, the FortiGate firewall. I wanted to show a real-life example of how we could provide secure multifactor VPN without having to break the bank. The example below is designed to show this configuration in the most basic sense, using only the features that come with a standard FortiGate appliance. Fortinet provides an included two licenses of FortiToken (Two-Factor Auth) per FortiGate as a way of allowing administrators to experience the power and simplicity of this feature. Today, we’ll be using these included ‘FortiTokens’ to setup our VPN.

It’s important to note that Fortinet allows for their FortiToken functionality to scale well above and beyond what we’ll be looking at today. They even have a dedicated appliance that is specifically designed for authentication offload called the FortiAuthenticator, but we’ll get into that in another article. For now, we’ll stick with the FortiGate and a typical AD authentication setup.


Mfa fortinet vpn

Secure Fortinet Fortigate SSL VPN with LoginTC Multi-factor Authentication (2FA)

Secure access to Fortinet Fortigate SSL VPN with LoginTC two-factor authentication (2FA). Easy for end-users to enroll and log into Fortinet Fortigate SSL VPN and protected applications. Two-factor authentication helps prevent account takeovers.

Multiple authentication methods like Push-based authentication, Software One-Time Passwords (OTP), Hardware Tokens, Bypass Codes and Email One-Time Passwords ensure end-users can always login securely.

Direct integration with Active Directory means you can still leverage passwords as a first factor. Users can also be synchronized from Active Directory for a streamlined rollout.

Enable LoginTC with Fortinet Fortigate SSL VPN to add multi-factor authentication (MFA) to your remote access deployment and keep your organization secure.

Read the Fortinet Fortigate VPN 2FA guide

Read Our Client Case Studies

Read All Our Case Studies

Why LoginTC

Improve Cyber Security Posture

Reduce risk of account takeover and meet industry regulatory compliance.

Reduce Cost

Easy to deploy, easy to manage and easy to support solution that leverages existing infrastructure.

Delivery Seamless User Experience

Give users a best in class user experience across all of the applications they access.

Increase Productivity

Enable a secure remote workforce, working from anywhere, anytime.

Fortigate SSL VPN setup with FortiAuthenticator and AD authentication

Lips dry and it was unbearably hot. My penis was bursting, and my eyes absorbed all the intercourse that was taking place, as the most sensual sight. I tried to catch my wife's gaze, but her eyes closed with excitement created a wall between us. And then I just relaxed, admiring her eroticism and the beauty that attracts men.

You will also like:

That visiting musicians received from local chanson lovers. And also the compliments of the performer of this genre to the beauties of the local nature and the masculinity of local. Horsemen. So you don't give a blowjob.

1547 1548 1549 1550 1551