Add FortiToken two-factor authentication
This configuration adds two-factor authentication (2FA) to the FortiClient dialup VPN configuration (Configuring the IPsec VPN). It uses one of the two free mobile FortiTokens that is already installed on the FortiGate.
To configure 2FA using the GUI:
- Configure a user:
- Go to User & Device > User Definition and create or edit local user twoFAuser1.
- Enter the user's Email Address.
- Enable Two-factor Authentication and select one mobile Token from the list,
- Enable Send Activation Code and select Email.
- Click Next and click Submit.
- Add the user to the group:
- Go to User & Device > User Groups and edit the Employees.
- Add twoFAuser1 to the Members list.
- Click OK.
- Activate the mobile token.
- When a FortiToken is added to user twoFAuser1, an email is sent to the user's email address. Follow the instructions to install your FortiToken mobile application on your device and activate your token.
To configure 2FA using the CLI:
- Configure a user and user group.
config user local edit "twoFAuser1" set type password set two-factor fortitoken set fortitoken <select mobile token for the option list> set email-to <user's email address> set passwd <user's password> next end config user group edit "Employees" append member "twoFAuser1" next end
- Activate the mobile token.
- When a FortiToken is added to user twoFAuser1, an email is sent to the user's email address. Follow the instructions to install your FortiToken mobile application on your device and activate your token.