Hardware tokens for two-factor authentication with FortiGate

About LDAP Proxy

  • Token2 TOTPRadius v2.3 with built-in free 5 users license
  • A mobile application (such as Google Authenticator) and/or a classic or a programmable Token2 TOTP hardware token used as the second factor

Step 1. Create a new RADIUS server entry and assign to User group

Navigate to User & Authentication -> RADIUS Servers . Click on the ‘+ Create New’ button and fill in the information below:

  • Type: choose ‘Firewall’
  • Remote Groups: click on Add, then select ‘TOTPRadius’ from the Remote Server list
  • Click ‘OK’ to complete the process

Step 2. Enable administrative access for TOTPRadius hosted users

Navigate to Security -> Administrators, then click on the ‘+ Create New -> Administrator’ button to prepare the account.

  • Type: “Match a user on a remote server group”
  • Set a backup password and confirm it (this password may be used as a fallback mechanism if the RADIUS server is unreachable)
  • Select Administrator Profile, for example, super_admin

Step 3. Configure TOTPRadius in LDAP Proxy mode

  • Set ‘Allow initial login’ to 0
  • in LDAP settings section:
  • Set LDAP server (hostname or IP for regular LDAP and ldaps://ip_or_hostname for LDAPS). Separate multiple servers with spaces
  • Put your NETBIOS prefix or UPN suffix in the username format field keeping %username% string. I.e. if a user in your AD environment is using [email protected] to log in, the username format field should be set as “%username%@domain.com
  • You also need to define LDAP search string to allow the LDAP connection session to locate the users’ OU (i.e. ‘ou=users,o=myorgname’).
  • LDAP Group field should be left empty (this setting is not used by Fortinet integration)
  • If you need the user to self-enrol the second factor, enable “Allow LDAP Enrollment” option

Step 4. Generate or set the second factor for the user on TOTPRadius appliance

In this step, we will create a second-factor record (TOTP secret) for the username previously created under the FortiGate interface (Step 2).

Ready to log in

After all 4 steps above are completed successfully and without errors, the user can log in to the Fortinet web interface using his/her username and active directory password and the 6 digit OTP generated by the hardware token or the mobile app.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store