FortiGate Two Factor Authentication with Email

by SinaOnline Network Training

Hello everyone, in this video, I will introduce how you can set up 2-step verification for SSL VPN users by sending a token through email. By default, there is no way to enable this option via the graphical user interface. We must enable this feature from the CLI.

First, we must set up an SMTP server. Click on “Settings” under the system menu and enable “Use custom settings”. Write your SMTP server settings. These pieces of information depend on your environment.

Next, go to SSL-VPN portals under the VPN menu. Because I am using this firewall as a test environment, I have to do some configurations to activate SSL VPN on this firewall.

Then, configure SSL-VPN settings. Again, as I told you, I did some configurations to activate SSL-VPN on this firewall, and you don’t need to do these steps in your environment.

Now, I am going to create a user. Click on “User Definition” under “User and Authentication”. Because I don’t have any users, I am going to create one and then enable email-based 2-factor authentication for that user. In your environment, you might be using local users or LDAP users, no matter which type of users you are using; you can enable email-based 2-factor authentication for any type of user.

Click on “Create User”, “Local User”, enter username and password. At this step, I am not enabling 2-factor authentication because we don’t have any option to enable email-based 2-factor authentication, and then submit.

Now, it’s time to enable mail token on this user. As I told you, this can be a local or LDAP user. Edit user, open edit in CLI. You can shortcut to edit this user from CLI or write these commands:

Config user local or LDAP

Edit, then write your selected username

Now write “set two-factor email”

Then write the user’s email address by using “set email-to email address”.

End

Refresh user lists.

Ok, as you can see, email-based two-factor authentication is enabled.

Now, I am writing a test policy to create an SSL-VPN session. It’s time to test email-based token.

Write firewall VPN settings in FortiClient. Enter the username and password of the user.

Ok, FortiGate sends the token to my email address. Let me check my mailbox.

I copied and pasted the received token, and then my VPN connection established.

I hope this video was useful in securing your environment and improving your knowledge. Don’t forget to subscribe to my channel and like videos. Also, if you have any questions, you can ask in the comments.