Captive portal two-factor authentication with FortiToken Mobile

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

For this recipe, you will set up a FortiGate to require users on an internal network to use two-factor authentication with FortiToken Mobile through a captive portal to access the Internet.

The captive portal will be added to the FortiGate’s internal interface and you will customize the portal by changing the login page appearance and adding a new image.

This scenario assumes that you have already added an Internet access policy, that you have added FortiToken Mobile to the FortiGate, and the elainemarley user is a member of the FortiToken user group named FTK-users.

1. Enabling FortiToken for elainemarley

Go to User & Device > User Definition and edit elainemarley

Select Enable Two-factor Authentication and select the FortiToken Mobile from the dropdown menu.

Under Contact Info, enable Email Address or SMS, enter elainemarley’s contact information, and select Send Activation Code Email or Send Activation Code SMS. The internal network user will receive the activation code by the method specified.

2. Adding a user account to FortiToken Mobile

Open the FortiToken Mobile application and go to Add account > Enter Manually > Fortinet.

Enter your email address, enter the activation code you received, and select Add account.

The token will activate and start generating codes.

3. Editing the internal interface

Go to Network > Interfaces and edit the internal interface.

Under Admission Control, set Security Mode to Captive Portal.

Set Authentication Portal to Local, and set User Groups to FTK-users.

4. Customizing the captive portal login page

Go to System > Replacement Messages. Under Authentication, select Login Page.

Two panels will open showing the login page that users will see when attempting to browse the Internet, and the HTML format.

You can customize the login page, such as border color and thickness, using the HTML panel. When finished, select Save, then select Manage Images > Create New.

Enter a name for the new replacement image, select a Content Type (select from GIF, JPEG, TIFF, or PNG), and upload an image file of your choice (in the example, Mêlée-Island.png).

Note that your image must be 24 KB or less.

In the HTML panel for Login Page, scroll down to the logo, and configure the HTML as follows:

}.logo{
   background:#eee center 5px url(%%IMAGE:Example%%) no-repeat;
   padding-top:110px;}

Make any other changes you wish.

The new logo will replace the old image, as shown here.

Under Authentication, select FortiToken Page and make the same customization changes made for the login page.  

5. Results

Internal network users will be redirected to the captive portal login page when attempting to browse the Internet.

Enter elainemarley‘s user credentials. You will then be prompted to enter a FortiToken Code. Enter the code and select Continue.

The user is now successfully authenticated and has access to the Internet.

To verify the elainemarley‘s connection, go to Monitor > FortiClient Monitor.

Adam Bristow

Adam Bristow

Technical Writer at Fortinet
Adam Bristow is a Technical Writer working for the FortiOS technical documentation team. He has a Honours Bachelor of Arts in English and Minor in Film Studies and a graduate certificate in Technical Writing from Algonquin College. Stay tuned for more FortiOS Cookbook videos!
Adam Bristow
  • Was this helpful?
  • Yes   No
Use the Scan Barcode option to scan the attached QR code if you received your activation code by email instead of SMS.