Hardware tokens for two-factor authentication with FortiGate

About LDAP Proxy

  • Fortinet gateway deployed as a virtual applianceVMwareware ESXi (FortiGate VM64) and full admin access to the gateway
  • Token2 TOTPRadius v2.3 with built-in free 5 users license
  • A mobile application (such as Google Authenticator) and/or a classic or a programmable Token2 TOTP hardware token used as the second factor

Step 1. Create a new RADIUS server entry and assign to User group

  • Name: Name of the user group allowed to use TOTPRadius authentication, in our example, we use “TOTP” as the name of the group
  • Type: choose ‘Firewall’
  • Remote Groups: click on Add, then select ‘TOTPRadius’ from the Remote Server list
  • Click ‘OK’ to complete the process

Step 2. Enable administrative access for TOTPRadius hosted users

  • Username: same as your LDAP username
  • Type: “Match a user on a remote server group”
  • Set a backup password and confirm it (this password may be used as a fallback mechanism if the RADIUS server is unreachable)
  • Select Administrator Profile, for example, super_admin

Step 3. Configure TOTPRadius in LDAP Proxy mode

  • Set ‘Allow initial login’ to 0
  • in LDAP settings section:
  • Set LDAP server (hostname or IP for regular LDAP and ldaps://ip_or_hostname for LDAPS). Separate multiple servers with spaces
  • Put your NETBIOS prefix or UPN suffix in the username format field keeping %username% string. I.e. if a user in your AD environment is using [email protected] to log in, the username format field should be set as “%username%@domain.com
  • You also need to define LDAP search string to allow the LDAP connection session to locate the users’ OU (i.e. ‘ou=users,o=myorgname’).
  • LDAP Group field should be left empty (this setting is not used by Fortinet integration)
  • If you need the user to self-enrol the second factor, enable “Allow LDAP Enrollment” option

Step 4. Generate or set the second factor for the user on TOTPRadius appliance

Ready to log in

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store