SSL VPN with RADIUS and FortiToken


In this recipe, you configure a FortiAuthenticator as a RADIUS server to use with a FortiGate SSL VPN. Remote users connect to the SSL VPN using FortiClient and use FortiToken for two-factor authentication.

If you don’t already have an SSL VPN tunnel configured, see SSL VPN using web and tunnel mode.

1. Creating a user and a user group on FortiAuthenticator

To create a user account, connect to the FortiAuthenticator, go to Authentication > User Management > Local Users, and select Create New.

Enter a Username and set Password creation to Specify a password. Enter and confirm the password. Enable Allow RADIUS authentication and set Role to User.

After you create the user, more options are available. Edit the account and enable Token-based authentication.

Set Deliver token code by to FortiToken. Set FortiToken Mobile to an available FortiToken. Set Delievery method to Email.

Under User Information, set Email to the user’s email address.

To create a user group, go to Authentication > User Management > User Groups and select Create New. Add the new user to the group.

After you create the user group, more options are available. Edit the group and create a new RADIUS attribute. Set Vendor to Fortinet, set Attribute ID to Fortinet-Group-Name, and set Value to the name of the group (in the example, SSL_VPN_RADIUS).

2. Creating the RADIUS client on FortiAuthenticator

To create a RADIUS client, go to Authentication > RADIUS Service > Clients, and select Create New.

Enter a Name for the client. Set Client address to IP/Hostname and enter the IP address of the FortiGate (in the example, Set a Secret for the client.

Under User Authentication, set Authentication method to Apply two-factor authentication if available. Select Enable FortiToken Mobile push notifications authentication.

For Realms, set the default realm to local | Local users. Under Groups, enable Filter and set it to the user group.

3. Connecting the FortiGate to FortiAuthenticator and importing the user group

To add the FortiAuthenticator as a RADIUS server for FortiGate, connect to the FortiGate, go to User & Device > RADIUS Servers and select Create New.

Set a Name for the server and set Authentication method to Default.

Under Primary Server, set IP/Name to the IP address of the FortiAuthenticator (in this example, and set Secret to the same secret you configured on the FortiAuthenticator.

Select Test Connectivity to make sure you used the proper settings.

To import the user group, go to User & Device > User Groups and create a new group.

Set a Name for the group. Under Remote Groups, select +Add and select the RADIUS server. Set Groups to the RADIUS attribute you assigned to the group (in the example, SSL_VPN_RADIUS).

4. Allowing RADIUS users to connect to the SSL VPN

To configure SSL VPN authentication, go to VPN > SSL-VPN Settings.

Under Authentication/Portal Mapping, create a new entry for the RADIUS group. Set Portal to tunnel-access, which allows users to connect using FortiClient.

To allow the new group access to the VPN, go to Policy & Objects > IPv4 Policy and edit the policy for the SSL VPN. Select Source and set User to include the RADIUS group.

5. Results

Log in to the SSL VPN.

Enter the FortiToken code when it is requested.

You are connected to the VPN tunnel.

Victoria Martin

Technical Writer at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)