FortiGate two-factor authentication using OTP

Another sequel that looks at the possibilities of multi-factor authentication (MFA) on FortiGate. We will look at two-factor authentication (2FA) using an OTP (One-time Password) sent to an email or as an SMS message. The use case is for logging into an SSL VPN, but we can use it elsewhere as well.

displayed: 13 594x (8 716 CZ, 4 878 EN) | Comments [0]

Note: The description in the article is based on FortiGate FG-300E with FortiOS version 6.2.3. It is configured as a FGCP cluster and uses VDOM.

Documentation Users and user groups - Two-factor authentication

FortiGate supports two-factor authentication (2FA) using OTP (One-time Password). It is a six-digit authentication code valid for 60 seconds. It can be delivered via email message, SMS message, or generated using FortiToken (HW or mobile app).

Setting up two-factor authentication for users

(VDOM) > User & Device > User Definitions

Setting up two-factor authentication is done on a local user account. It can be a Local User or a Remote User, and the process is the same for both. Part of it can be set in the GUI, but almost always we will need to adjust it in the CLI.

If we use a user from an LDAP server (e.g., AD DS) to log into SSL VPN and want to use two-factor authentication, we must create the user locally as a Remote user. Technical Note - Configuring Remote LDAP users with Two-Factor Authentication

We can create users in the GUI as Remote LDAP User, where we select the LDAP server and the user on it (if we select multiple users, multiple accounts will be created). Users are created with the name from the LDAP server. Then we can edit the user and set up Two-factor Authentication (password verification will still be done against the LDAP server). We then assign the user to the SSL VPN group.

For detailed two-factor authentication settings, we must use the CLI. In the GUI, we only set up FortiToken. The email setting is not offered in the GUI (until we set it in the CLI).

Sending OTP via email

Documentation Technical Tip: Email Two-Factor Authentication on FortiGate

Example of an LDAP user with two-factor authentication and sending OTP to the user's email.

config user local
    edit "bouska"
        set type ldap
        set two-factor email
        set email-to "bouska@firma.cz"
        set ldap-server "PDC"
    next
end

Of course, we must have the mail server set up. Either in the GUI

(Global) > System > Settings - Email Service

Or CLI config system email-server, where we can also send a test message.

diagnose log alertmail authcode bouska@firma.cz

If we connect using FortiClient to SSL VPN, we first enter the username and password and click Connect. Then another dialog appears asking for the Token Code sent to the email. Upon correct entry, the login is successful.

Email message is sent to the user's email via the globally configured SMTP server. Its format is:

Subject: AuthCode: 131416
Message body: Your authentication token code is 131416.

Sending OTP via SMS

Documentation Technical Note: SMS Two Factor Authentication in FortiGate

Another option is to send OTP as an SMS to the user's mobile number. But in reality, it means sending an email, and the behavior is exactly the same as for the previous email option.

For sending SMS, we can use the FortiGuard Messaging Service, which is the default option (set sms-server fortiguard). We should have 4 messages free (not sure if per day or how), and more can be purchased from Fortinet. Or we can use some internet service for sending SMS. If we have our own IP GSM gateway connected to the network, we can use that too. An example is 2N VoiceBlue Next.

In both cases, we need it to support the Email2SMS function, i.e., receiving emails and sending their content as SMS messages. The email address of the recipient contains the phone number for sending the message, for example, 7311234562@sms.firma.cz. As you can see, we wouldn't need a special SMS function, but we could directly use sending to an email and enter the format with the phone number as the address.

Unfortunately, FortiGate allows defining only one email service (SMTP server). So if we have our own GSM gateway, we must route the mail through our mail servers. Direct connection to the SMTP GSM gateway would be useful.

To set it up, we must use the CLI in Global to define the SMS server. We only enter the server name and domain (confusingly called mail-server), to which emails are sent. Email addresses for sending are created using this domain as phone-number@domain-service.

config system sms-server
    edit "GSM-GW"
        set mail-server "sms.firma.cz"
    next
end

Then we adjust the user settings.

config user local
    edit "bouska"
        set type ldap
        set two-factor sms
        set sms-server custom
        set sms-custom-server "GSM-GW"
        set sms-phone "7311234562"
        set ldap-server "PDC"
    next
end

The login process to SSL VPN is very similar.

Related articles:

Fortinet security solutions. Mostly focused on the Next Generation Firewall (NGFW) FortiGate. Configuration of FW, policies, NAT, but also VPN and authentication options. Marginally working with logs using FortiAnalyzer and with clients using FortiClient EMS.

A series of articles that provides a general description of VPN technology. It breaks down individual VPN types such as Site to Site VPN and Remote Access VPN. And it describes configurations on different devices.