Users and user groups

Two-factor authentication

The standard logon requires a username and password. This is one factor authentication—your password is one piece of information you need to know to gain access to the system.

Two factor authentication adds the requirement for another piece of information for your logon. Generally the two factors are something you know (password) and something you have (certificate, token, etc.). This makes it harder for a hacker to steal your logon information. For example if you have a FortiToken device, the hacker would need to both use it and know your password to gain entry to your account.

Two-factor authentication is available on both user and admin accounts. But before you enable two-factor authentication on an administrator account, you need to ensure you have a second administrator account configured to guarantee administrator access to the FortiGate unit if you are unable to authenticate on the main admin account for some reason.

The methods of two-factor authentication include:

  • Certificate l Email
  • SMS
  • FortiToken

Certificate

You can increase security by requiring both certificate and password authentication for PKI users. Certificates are installed on the user’s computer. Requiring a password also protects against unauthorized use of that computer.

Optionally peer users can enter the code from their FortiToken instead of the certificate.

To create a peer user with two-factor authentication – CLI example

config user peer edit peer1 set subject E=peer1@mail.example.com

set ca CA_Cert_1 set two-factor enable set passwd fdktguefheygfe

end

For more information on certificates, see Certificates overview on page 108.

Email

Two-factor email authentication sends a randomly generated six digit numeric code to the specified email address. Enter that code when prompted at logon. This token code is valid for 60 seconds. If you enter this code after that time,it will not be accepted.

A benefit is that you do not require mobile service to authenticate. However, a potential issue is if your email server does not deliver the email before the 60 second life of the token expires.

The code will be generated and emailed at the time of logon, so you must have email access at that time to be able to receive the code.

To configure an email provider – web-based manager:

  1. Go to System > Advanced and enable Use Custom Eamil Server under Email Service.
  2. Enter SMTP Server and Default Reply To
  3. If applicable, enable Authentication and enter the SMTP User and Password to use.
  4. Select a Security Mode, options are: None, SMTPS or STARTTLS.
  5. Enter the Port number, the default is 25.
  6. Select Apply.

To configure an email provider – CLI:

config system email-server set server <server_domain-name> set reply-to <Recipient_email_address>

end

To enable email two-factor authentication – web-based manager:

  1. To modify an administrator account, go to System > Administrators. To modify a user account go to User & Device > User Definition.
  2. Edit the user account.
  3. Enable and enter the user’s Email Address.
  4. Select Enable Two-factor Authentication.
  5. Select Email based two-factor authentication.
  6. Select OK.

If Email based two-factor authentication option doesn’t appear after selecting Enable Two-factor Authentication, you need to enable it via the CLI as follows.

To enable email two-factor authentication – CLI:

config user local edit <user_name> set email-to <user_email> set two-factor email end

SMS

SMS two-factor authentication sends the token code in an SMS text message to the mobile device indicated when this user attempts to logon. This token code is valid for 60 seconds. If you enter this code after that time, it will not be accepted. Enter this code when prompted at logon to be authenticated.

SMS two-factor authentication has the benefit that you do not require email service before logging on. A potential issue is if the mobile service provider does not send the SMS text message before the 60 second life of the token expires.

FortiGuard Messaging Service include four SMS Messages at no cost. If you need more, you should acquire a license through support.fortinet.com or via customer service.

If you do not use the FortiGuard Messaging Service, you need to configure an SMS service.

To configure an SMS service – CLI:

config system sms-server edit <provider_name> set mail-server <server_domain-name>

next

end

To configure SMS two-factor authentication – web-based manager:

  1. To modify an:

l administrator account, go to System > Administrators, or l user account go to User & Device > User Definition.

  1. Edit the user account.
  2. Select SMS and enter the Country Dial Code and Phone Number.
  3. Select Enable Two-factor Authentication. and select the correct Token.
  4. Select OK.

If you have problems receiving the token codes via SMS messaging, contact your mobile provider to ensure you are using the correct phone number format to receive text messages and that your current mobile plan allows text messages.

This entry was posted in FortiGate, FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “Users and user groups

  1. Anabella Cristaldi

    Hi Mike, One question: if I have LDAP Users and a remote Radius Group which will check first given an username and password? I’m not able to see If the order is defined somewhere
    Thank you

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.