Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MadDog_2023
New Contributor III

Created on ‎03-05-2024 09:14 PM

MFA for admin access

Hi All,

There is a FortiGate 60E.

I set up MFA the way shown on the screenshot. 

 

FG MFA.jpg

 

The drawback of this method is that it requires FortiToken Mobile.

It means if I'm not available nobody can access the router.

Is it possible to set up MFA for admin access in some other way that wouldn't be linked to someone mobile device?  

Labels:
503
0 Kudos
1 Solution
ozkanaltas
Contributor III

Created on ‎03-06-2024 12:35 AM

Hello @MadDog_2023 ,

 

Firstly, I agree with @AEK. You should create more than one admin account on your FortiGate for traceability. 

 

But if you don't want this. You can use email as a 2FA or you can configure a remote radius admin user on your FortiGate. After that, you can control the 2FA option on the Radius server. 

 

If you want to use email as 2FA. You can use these commands. 

 

config system admin
	edit admin
		set two-factor email
	next
end
If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

View solution in original post

If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
457
4 REPLIES 4
AEK
SuperUser
SuperUser

Created on ‎03-05-2024 10:02 PM

Hello

Yes, just create multiple nominative users.

Actually the good practice is never share one account with many admins (at least for traceability), each admin has his own account. Other very serious companies even disable admin account.

AEK
AEK
490
vikhral10
New Contributor

Created on ‎03-05-2024 10:40 PM

works great, authlite was the best true 2fa we found. Administration is easy. Essentially your User account used for DA wont have DA privilege's until you sign in with your 2fa (yubikey) once successful you're granted DA. We also did this with our LocalserverAdmin groups as well.

https://omegle.onl/ vshare
https://omegle.onl/ vshare
478
ozkanaltas
Contributor III

Created on ‎03-06-2024 12:35 AM

Hello @MadDog_2023 ,

 

Firstly, I agree with @AEK. You should create more than one admin account on your FortiGate for traceability. 

 

But if you don't want this. You can use email as a 2FA or you can configure a remote radius admin user on your FortiGate. After that, you can control the 2FA option on the Radius server. 

 

If you want to use email as 2FA. You can use these commands. 

 

config system admin
	edit admin
		set two-factor email
	next
end
If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
458
MadDog_2023
New Contributor III
In response to ozkanaltas

Created on ‎03-06-2024 02:22 AM Edited on ‎03-06-2024 02:23 AM

Thanks guys for you replies.

 

@ozkanaltas thanks heaps.

Exactly what I was after. 

The full command set was:

 

config system admin
edit admin
set two-factor email

set email-to address@company.com
next
end

439
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.