Two-factor authentication with FortiGate can be implemented using several different methods (SMS, Email etc.) with OTP based 2FA being the most secure one. 2FA can be implemented natively with FortiToken, a disconnected one-time password (OTP) generator. It is a small physical device with a button that when pressed displays a six-digit authentication code or a mobile app that uses a proprietary algorithm for the enrollment process. FortiToken is a component of Fortinet infrastructure that requires an additional license (even with the mobile app version), which some customers find quite expensive.
Fortunately, Fortinet allows using external RADIUS servers as the authentication source and this will allow implementing two-factor authentication using Token2 TOTPRadius appliance as a more cost-effective alternative to the standard method.
In this guide, we will show how to configure a Fortinet gateway to work with TOTPRadius in LDAP proxy mode. The authentication will use the standard login forms (username+password only) and the password field is expected to have the LDAP password followed by 6 digit OTP as a single string. For simplicity, this guide will show configuring accounts with administrative access.
The principle behind LDAP proxy feature of TOTPRadus is that users will provide their AD or LDAP password together with the one-time passwords in the password field. TOTPRadius will then parse the password, split it into two parts and authenticate the OTP and if correct will send the AD/LDAP password part further to the AD/LDAP server configuration. This setup was tested only with Microsoft Active Directory as the LDAP backend.
The setup described in this guide is based on the following components:
Navigate to User & Authentication -> RADIUS Servers . Click on the '+ Create New' button and fill the information below:
Name: the name of the appliance (we will use 'TOTPRadius' for this guide as an example)
NAS IP: leave empty
IP/Name: the IP address of your TOTPRadius appliance
Secret: RADIUS secret of your TOTPRadius appliance (configured on the 'General settings' page in the admin panel of TOTPRadius)
Navigate to User & Authentication -> User Groups and click on the '+ Create New' button. Provide the following information:
Navigate to Security -> Administrators, then click on the '+ Create New -> Administrator' button to prepare the account.
Fill the following information:
In this step, we will create a second-factor record (TOTP secret) for the username previously created under the FortiGate interface (Step 2).
Login to TOTPRadius admin interface, and click on New User button. This will generate a QR code that should be used to provision the TOTP profile on a mobile authenticator app (Google Authenticator, Microsoft Authenticator, Token2 TOTP+ or any other RFC6238-compliant application). If a hardware token is to be used for this user, click on Edit profile or assign hardware token button and paste the secret key of the hardware token in Token key field in base32 format.
If a programmable hardware token is used, you can burn the secret onto the hardware token by scanning the QR code using one of the NFC Burner apps.
After all 4 steps above are completed successfully and without errors, the user can log in to the Fortinet web interface using his/her username and active directory password and the 6 digit OTP generated by the hardware token or the mobile app.