Hardware tokens for two-factor authentication with FortiGate

About LDAP Proxy

  • Fortinet gateway deployed as a virtual applianceVMwareware ESXi (FortiGate VM64) and full admin access to the gateway
  • Token2 TOTPRadius v2.3 with built-in free 5 users license
  • A mobile application (such as Google Authenticator) and/or a classic or a programmable Token2 TOTP hardware token used as the second factor

Step 1. Create a new RADIUS server entry and assign to User group

  • Name: Name of the user group allowed to use TOTPRadius authentication, in our example, we use “TOTP” as the name of the group
  • Type: choose ‘Firewall’
  • Remote Groups: click on Add, then select ‘TOTPRadius’ from the Remote Server list
  • Click ‘OK’ to complete the process

Step 2. Enable administrative access for TOTPRadius hosted users

  • Username: same as your LDAP username
  • Type: “Match a user on a remote server group”
  • Set a backup password and confirm it (this password may be used as a fallback mechanism if the RADIUS server is unreachable)
  • Select Administrator Profile, for example, super_admin

Step 3. Configure TOTPRadius in LDAP Proxy mode

  • Set ‘Allow initial login’ to 0
  • in LDAP settings section:
  • Set LDAP server (hostname or IP for regular LDAP and ldaps://ip_or_hostname for LDAPS). Separate multiple servers with spaces
  • Put your NETBIOS prefix or UPN suffix in the username format field keeping %username% string. I.e. if a user in your AD environment is using [email protected] to log in, the username format field should be set as “%username%@domain.com
  • You also need to define LDAP search string to allow the LDAP connection session to locate the users’ OU (i.e. ‘ou=users,o=myorgname’).
  • LDAP Group field should be left empty (this setting is not used by Fortinet integration)
  • If you need the user to self-enrol the second factor, enable “Allow LDAP Enrollment” option

Step 4. Generate or set the second factor for the user on TOTPRadius appliance

Ready to log in



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store