FortiToken two-factor authentication with RADIUS on a FortiAuthenticator


In this recipe, you will set up FortiAuthenticator to function as a RADIUS server to allow SSL VPN users to authenticate with a FortiToken-200.

You will configure a user (gthreepwood), FortiToken-200, and the RADIUS client on the FortiAuthenticator, create the SSL VPN tunnel, and configure the FortiGate to use the FortiAuthenticator as a RADIUS server.

Note: Since publication, edits have been made to reflect minor GUI path changes made in the release of FortiAuthenticator 4.2.

Watch the video

1. Adding the FortiToken to FortiAuthenticator

On the FortiAuthenticator, go to Authentication > User Management > FortiTokens, and select Create New.

Make sure Token type is set to FortiToken Hardware, and enter the FortiToken’s serial number into the field provided.

2. Adding the FortiToken user to FortiAuthenticator

On the FortiAuthenticator, go to Authentication > User Management > Local Users, and select Create New.

Enter a Username (gthreepwood), enter and confirm a password, and make sure that Allow RADIUS authentication is enabled.

Select OK to access additional settings.

Enable Token-based authentication, select to deliver the token code by FortiToken, and select the FortiToken added earlier from the FortiToken Hardware dropdown menu.

Next, go to Authentication > User Management > User Groups, create a user group (RemoteFortiTokenUsers), and add gthreepwood to the group.

3. Creating the RADIUS Client on FortiAuthenticator

On the FortiAuthenticator, go to Authentication > RADIUS Service > Clients, and select Create New.

Enter a name (OfficeServer), set Client name/IP to the IP of the FortiGate, and set a Secret. The secret is a pre-shared, secure password that the FortiGate will use to authenticate to the FortiAuthenticator.

Set Authentication method to Enforce two-factor authentication, set Realms to local | Local users, and add RemoteFortiTokenUsers to the Groups filter.

Note the Username input format. This is the format that the user must use to enter their username in the web portal.

4. Connecting the FortiGate to the RADIUS Server

On the FortiGate, go to User & Device > RADIUS Servers, and select Create New.

Enter a Name (OfficeRADIUS), set Primary Server IP/Name to the IP of the FortiAuthenticator, and enter the Secret created before.

Test the connectivity and enter the credentials for gthreepwood. The test should come back with a successful connection.
The FortiGate can now log into the RADIUS client added earlier to the FortiAuthenticator.

Then go to User & Device > User Groups, and select Create New.

Enter a Name (SSLVPNGroup), and under Remote groups, select Create New.

Select OfficeRADIUS under the Remote Server dropdown menu.

5. Configuring the SSL VPN on FortiGate

On the FortiGate, go to VPN > SSL-VPN Portals, and edit the full-access portal.

Disable Split Tunneling.

Go to VPN > SSL-VPN Settings.

Under Connection Settings set Listen on Port to 10443.

Under Tunnel Mode Client Settings, select Specify custom IP ranges and set it to SSLVPN_TUNNEL_ADDR1.

Under Authentication/Portal Mapping, select Create New.

Assign the SSLVPNGroup user group to the full-access portal, and assign All Other Users/Groups to web-access — this will grant all other users access to the web portal only.

Go to Policy & Objects > IPv4 Policy and create a new SSL-VPN policy.

Set Incoming Interface to the SSL-VPN tunnel interface and set Outgoing Interface to the Internet-facing interface.

Set Source to the SSLVPNGroup user group and set Destination Address to all.

Set Schedule to alwaysService to ALL, and enable NAT.

6. Results

From a remote device, open a web browser and navigate to the SSL VPN web portal (https://FortiGate-IP:10443).

Enter gthreepwood‘s credentials and select Login.

Note that the username has to be entered in the format ‘realm\username‘, as per the client configuration on the FortiAuthenticator (in this example, local\gthreepwood).

The user will then be prompted to enter their FortiToken code.

Once the code is successfully entered, gthreepwood will successfully log into the SSL VPN Portal.

On the FortiGate, go to Monitor > SSL-VPN Monitor to confirm the user’s connection.

Fortinet Technical Documentation

Contact Fortinet Technical Documentation at
Fortinet Technical Documentation

Latest posts by Fortinet Technical Documentation (see all)

The serial number, located on the back of the FortiToken device, is case sensitive. Note that the token can only be registered to one device.