In this recipe, you will enforce two-factor authentication for WiFi users who have physical FortiToken-200 devices through a captive portal. FortiToken-200 users who attempt to browse the Internet will be redirected to the captive portal login page and asked to enter their username, password, and token code.
This recipe assumes that you already have a FortiAP unit connected and authorized to the FortiGate, and that the SSID has been set up and configured to use Captive Portal. For a recipe on how to set up a wireless network through a captive portal, see Captive portal WiFi access control.
This recipe is designed for a FortiToken-200 physical key generator. See step 2 for information about using FortiToken Mobile.
Go to User & Device > FortiTokens and create a new FortiToken.
Set Type to Hard Token and enter the FortiToken's Serial Number into the field provided. Note that the serial number, located on the back of the FortiToken device, is case sensitive and must not be previously used.
Go to User & Device > User Definition and edit the user (rgreen).
Select Enable Two-factor Authentication and select the token created earlier.
Select Add this user to groups and add the user to the captive portal user group (employees).
This recipe is designed for a FortiToken-200 physical key generator. If the user has FortiToken Mobile, the user's contact information must be included so that the FortiToken code can be sent to the user via Email or SMS.
When a user attempts to browse the Internet, they will be redirected to the captive portal login screen.
Members of the FortiToken group must enter their Username and Password, but will then be redirected to a screen requiring the user to enter their Token Code. Retrieve the code by pressing the button on the FortiToken device.
Once the code is successfully entered, the user will be redirected to the URL originally requested.
On the FortiGate, go to Monitor > WiFi Client Monitor to verify that the user is authenticated.