By Manny Fernandez

February 20, 2019

Fortitoken with Active Directory on Fortigate

Yesterday I wrote a blogpost about two-factor authentication using Duo, Active Directory, Duo Proxy Auth and Fortigate. I mentioned that FortiToken was easier to deploy and decided I would write a blog post using FortiToken, Active Directory and Fortigate.

Fortigates have a built-in two-factor authentication server and you only need to purchase FortiTokens. FortiTokens come in two-factors (no pun intended); hardware and electronic. The electronic tokens are perpetual so you buy them once and you can reuse them as needed.

What you are going to need:

1. Fortigate Firewall
2. FortiToken Licenses (hardware or software)
3. Active Directory

NOTE: You do not require AD as you can create local users and assign them a token.

Lets get started.

Login into your Fortigate firewall and go to ‘Users & Devices’ then ‘FortiToken

For hardware tokens, you can either import it from a text file or seed file.

Electronic Tokens are easier. Enter the ‘Activation Code‘ provided by Fortinet via an email and hit ‘OK

Once you have the tokens listed, we will add an LDAP server to the configuration. Under the same Sub heading of ‘Users & Devices’ then ‘LDAP Servers’.

Ensure the ‘Connection Status’ shows up with the green checkmark and says ‘Successful’.

Now we will create a Security Group in Activie Directory

We will also create a test user

Next, make sure you add the new user to the ‘Security Group’ named ‘FortiToken-GRP’.

Once this is completed you can move back to the Fortigate. Go back to ‘Users & Devices’ and create a ‘User Groups’.

Give the group a name and choose ‘Remote Groups’. Choose the Domain Controler you created earlier, and select the ‘FortiToken-GRP’ group.

Now we are going to create a ‘Remote User’ (e.g. John Doe).

Go to ‘Users & Devices’ and select ‘User Definition’ and choose ‘Remote LDAP User’. Choose the DC you created and browse for the ‘John Doe’ user.

Once the user is created, you will select it and choose ‘Edit’.

Once you edit the user, click the ‘Two-Factor Authentication’ button. From the drop-down list, choose an available FortiToken and save. You can re-send the activation from this window.

NOTE: You must have an email address in the appropriate field.

The user needs to go to their AppStore (Apple) or Market Place (Android) to download the FortiToken app.

IOS AppStore

Google Play Store

The user will recieve and email with the QR code. The one below has been modified to disable it in the graphic.

As in the other blog post, you will need to make sure the User Group is permitted to use the VPN’s particular portal.

And finally, ensure the Policy is configured correctly

Note: Another Option would be to deploy a FortiAuthenticator. The FortiAuthenticator give you more flexability becuase it gives you the ability to use other authentication methods such as OAuth and SAML. Additionally it allows you to do ‘push notification’ where you will receive a a pop-up on you device.

Hope this helps.

Recent posts

  • If you've spent any time configuring user authentication on... Full Story

  • DNS is one of those technologies that quietly underpins... Full Story

  • BGP issues on FortiGate firewalls usually trace back to... Full Story

  • Every time your laptop talks to your router, a... Full Story

  • If you've spent any time configuring NAT on a... Full Story

  • If you have spent any time configuring firewall policies... Full Story

  • High availability on FortiGate is one of those features... Full Story

  • If you've configured SD-WAN on a FortiGate, you've almost... Full Story

  • FortiLink is the management protocol that turns a FortiSwitch... Full Story

  • FortiSwitches are pretty rock solid from Mean Time Between... Full Story

  • This is a quicky tip.  Have you ever gone... Full Story

  • DNS is one of those quiet pieces of internet... Full Story

  • This article is an updated version of the previous... Full Story

  • You will add ns2 as a secondary (slave) BIND9... Full Story

  • In the process of deploying my lab, I needed... Full Story

  • RFC 8805, used to be known as Self-Correcting IP... Full Story

  • Years back, I wrote an article about certificate pinning. ... Full Story

  • FortiGates have the ability to send alerts to Microsoft... Full Story

  • In this post, I am going to walk through... Full Story

  • Troubleshooting VoIP on a FortiGate can feel like trying... Full Story

  • Prior to FortiOS 7.0, there were three commands to... Full Story

  • In this post, I am going to go over... Full Story

  • What we are going to do:  We are going... Full Story

  • Choosing between FGCP (FortiGate Clustering Protocol) and FGSP (FortiGate... Full Story

  • Creating a VLAN on macOS (The "Pro" Move) A... Full Story

  • This blog post explores the logic behind how macOS... Full Story

  • Pretty Fly for a Wi-Fi Tell My Wi-Fi Love... Full Story

  • Part of my daily gig is creating BoMs (Bill-of-Materials)... Full Story

  • ICMP introduces several security risks, but careful filtering, rate... Full Story

  • The command diag debug application dhcps -1 enables full... Full Story

  • In the world of FortiOS, execute tac report is... Full Story

  • LLDP; What is it The Link Layer Discovery Protocol... Full Story

  • What it actually does When you run diagnose fdsm... Full Story

  • Monkey Bites are bite-sized, high-impact security insights designed for... Full Story

  • I have run macOS in macOS with Parallels but... Full Story

  • Don't be confused with my other FortiNAC posts where... Full Story

  • This is the third session in a multi-part article... Full Story

  • Today I was configuring key-based authentication on a FortiGate... Full Story

  • Netcat, often called the "Swiss Army knife" of networking,... Full Story

  • At its core, IEEE 802.1X is a network layer... Full Story

  • In case you did not see the previous FortiNAC... Full Story

  • This is our 5th session where we are going... Full Story

  • Now that we have Wireshark installed and somewhat configured,... Full Story

  • The Philosophy of Packet Analysis Troubleshooting isn't about looking... Full Story

  • OSPF (Open Shortest Path First) is a link-state IGP... Full Story

  • 1. High-Level Overview The FortiGate Wireless Intrusion Detection System... Full Story

  • What MIMO Actually Does Multiple Input, Multiple Output (MIMO)... Full Story