2FA via LDAP with FortiAuthenticator and FortiToken

Many thanks champ, You are the best. A very simple and easy to understand explanation

Awesome Video! Best on this subject I've seen!

Very well explained. Thank you!

Very useful. Thanks mate!

Very helpful thank you

Amazing!

thankss for your explication!!

hi bro many thanks to you.Could you share about guest portal with fortiauthenticator :)

Do we have to have a windows server to do do MFA with a Fortinet VPN?

what about giving different permissions in policies for different LDAP groups? because all authentication groups in policies are matching the Fortiauth group

Just few (10) hints:
1.
if you do not have any token to test with then use DEMO tokens, which can be obtained by any registered FortiGate/FortiAuthenticator .. see 3:27 and switch to "Get FortiToken Mobile free trial tokens" . FortiGate has similar option in Users and Devices / FortiTokens.
2.
LDAPS at 4:41 do have one important benefit, it allows remote users to change their AD password (pure LDAP do not allows that, secure connection is mandatory)
3.
Windows bind in 5:00 ... without that and LDAP users synchronized as "Remote Users" (they also can be synchronized as Local Users, but will get separate password generated) would not be able to use anything then PAP via that intended RADIUS authentication. Any CHAP-based auth. will not be possible. And that's sort of mandatory nowadays for any WiFi with EAP-PEAP which uses MSCHAPv2. So having that Windows bind and so possible Kerberos/NTLM auth is truly beneficial. BTW PAP is NOT RADIUS protocol, RADIUS is protocol on its own and PAP is just another protocol possibly used in RADIUS messages/communication.
4.
SMS tokens and SMS purchased through Fortinet - 6:09 - is certainly an option, but in System / Messaging you can set up even 3rd party SMS GW which can point to 3rd party service, or even to something like your own email server, web server .. anything SMPT(S)/HTTP(S) based to process those messages with customizable format.
5.
8:30 Remote User Sync Rule is nice tool, and sync every 5 minutes is OK-ish for test, but definitely NOT for production !
6.
Mobile tokens can be TOTP, 6 digit, 60 seconds (default), but also could be HOTP, or 30 seconds, or 8 digit long .. more in System /Administration / FortiGuard / FortiToken Mobile Provisioning
7.
around 12:30 that PAP is plain-text, but it might be worth to mention that password is NOT carried as plaintext in RADIUS but AVP User-Password is encrypted with that shared secret, and therefore it should be something stronger then "password123"
8.
RADIUS Client on FortiAuthenticator 12:16 and 13:53, that Client could be defined not only as a single IP, but also as range or subnet, and so for example whole management subnet can be defined as a single allowed client (without that Client definition FortiAuthenticator will not respond to any RADIUS request). Single client definition containing multiple actual devices.
9.
FortiToken PUSH workflow and details in KB - community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-FortiToken-Push-on-FortiAuthenticator-operation/ta-p/190810
10.
besides typing in a token code, or approval through PUSH notification, there is 3rd option and it is to concatenate user's password with token code and fill/send it as password. Then you will not be prompted for token as extra step. Sounds inconvenient especially when there is PUSH. But that token request is RADIUS Challenge-Request message and not all the base RADIUS compatible 3rd party clients can also handle RADIUS Challenges properly, like some old routers or switches which can auth admins via RADIUS but basic user password only, and this is the way how to use accounts with 2FA on those. Another way would be Adaptive authentication in RADIUS Policy to bypass 2FA if Access-Request came from specific net/ip where we know is the switch/router unable to handle RADIUS challenges.

does the distros for virtual solutions like FortiGate, FortiAuthenticator etc have evaluation period for labbing?