FortiGate VPN 2FA

This guide shows how to enable Fortinet FortiGate VPN 2FA (two-factor authentication) via the RADIUS authentication protocol using Protectimus multi-factor authentication system.

Two-factor authentication is a must-have measure of cybersecurity, especially if we talk about VPN connection security. Set up 2-factor authentication for Forticlient VPN to protect your users’ accounts and sensitive corporate data from unauthorized access. 2FA for Fortinet FortiGate VPN is an effective tool against brute force, data spoofing, social engineering, phishing, keyloggers, man-in-the-middle attacks, etc.

1. How Fortinet FortiGate VPN Two-Factor Authentication (2FA) Works

Setting up two-factor authentication for the FortiGate VPN, you make your end users enter two different authentication factors to get access to their accounts.

1. The first authentication factor is a standard password and login (something the user knows);
2. The second authentication factor is a one-time code generated using an OTP token or a phone (something the user has).

Fortinet FortiGate VPN 2FA enabled makes it too hard to get unauthorized access to the user account because it is almost impossible to hack both authentication factors simultaneously. And what makes the task even more challenging is that a one-time code is valid only for 30 seconds.

Below you will find detailed instructions showing how to set up Fortinet Fortigate VPN 2FA via RADIUS using the Protectimus Cloud Two-Factor Authentication Service or Protectimus On-Premise 2FA Platform.

2. How to Enable Fortinet FortiGate VPN 2FA

You can set up FortiGate VPN two-factor authentication (2FA) with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Configure FortiGate VPN authentication policies.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for Fortinet FortiGate 2-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for Fortinet FortiGate 2FA

1. Login to your Fortinet FortiGate account and go to the Admin console.
2. Navigate to User & Device –> RADIUS Servers, then choose Create New to start adding a new RADIUS Server.

3. You will see a menu that allows you to add a new RADIUS Server.

4. Configure the following RADIUS settings to add a RADIUS Server.

Name	Come up with a name for your RADIUS server.
Authentication Method	Click on Specify and then select PAP from the dropdown menu.
Primary Server IP / Name	IP of server where the Protectimus RADIUS Server component is installed
Primary Server Secret	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server
Secondary Server IP / Name	Optional
Secondary Server Secret	Optional

5. Click Test Connectivity to make sure that the RADIUS Server IP address and shared secret you indicated above work and that the connection between FortiGate VPN and RADIUS Server is established.

6. If everything looks good, click OK to save your settings.

2.4. Create a User Group

1. Navigate to User & Device –> User Groups.
2. To add a new group, click on Create New.

3. Choose Firewall in Type. Then find the Remote Groups section, click Add, and select Protectimus Radius Server as the Remote Server.

4. Save your settings – click OK.

2.5. Associate the User Group with the FortiGate VPN

PLEASE NOTE! Use an IPsec Wizard to add a new IPSec Tunnel if there is no configured one.

1. Navigate to VPN –> IPSec Tunnels and choose the IPSec Tunnel you have configured.

2. Click on Convert To Custom Tunnel if this IPSec Tunnel is not a custom tunnel yet.

3. Go to the XAuth section and click Edit
4. Click on PAP Server in the Type dropdown menu.

5. In User Group dropdown select the User Group you have created in Step 2.4.
6. Click OK to save your settings.

2.6. Synchronize the Fortinet FortiGate Timeout with Protectimus RADIUS Server

1. FortiGate VPN default timeout is 5 seconds, which is insufficient while setting up FortiGate VPN 2FA. You need to change the timeout to 30 Seconds.
2. To do this, connect to the appliance CLI.
3. And execute the commands that are shown below:

2.7. Test Protectimus 2FA setup for Fortinet VPN Login

1. Login to Forticlient and enter your Username and Password.

2. You will be asked to enter a One-Time Password if you have enabled two-factor authentication for Fortigate VPN successfully.

3. Enter your one-time code from the two-factor authentication token and you should get access to the Fortigare VPN.

PLEASE NOTE! When you confige an IPSec VPN connection in FortiClient use the Pre-Shared key of the IPSec Tunnel that was created LAST. Fortinet may have issues if multiple IPSec Tunnels are present at FortiGate Server.

Integration of Fortinet FortiGate VPN 2FA is now complete. If you have other questions, contact Protectimus customer support service.