FortiGate + FortiClient MFA: Email OTP & FortiToken Mobile for Remote Users

In this video, I walk through setting up MFA on a FortiGate for remote VPN users connecting with FortiClient. We configure email-based one-time passcodes (OTP), then set up FortiToken Mobile using the token that comes with the firewall, and I also show a real-world troubleshooting scenario where users lose internet access while waiting for the MFA code.

Timestamps:
00:00 Intro
01:21 Lab Info
01:53 Custom SMTP and Auth Timer Settings
03:58 Setting up email MFA
06:36 Troubleshooting: Users have no internet while waiting for token
10:29 Setting up FortiToken Mobile MFA

Troubleshooting note (FortiClient “no internet while waiting for token” workaround)

In the scenario I cover, exporting FortiClient’s settings.xml shows a network block using 0.0.0.0, and changing it to a host /32 (example: 1.1.1.1/32) resolved the issue so users could reach email to retrieve the OTP before completing the VPN login.

Example change: (I had to remove the angle brackets to put this in the description)

network
addr 0.0.0.0 /addr
mask 0.0.0.0 /mask
/network
To:

network
addr 1.1.1.1 /addr
mask 255.255.255.255 /mask
/network
Export command example:

# Run as admin in: C:\Program Files\Fortinet\FortiClient\
fcconfig -p11111111 -f settings.xml -m all -o export
Then import/restore the config in FortiClient (and keep the file in the expected path/name if required by your setup).

Always test in a lab first, and keep backups of configs before making changes.
Keywords:
FortiGate MFA, FortiClient VPN MFA, SSL VPN MFA, IPsec dial-up MFA, Email OTP FortiGate, FortiToken Mobile, Fortinet two-factor authentication, FortiGate VPN security, FortiClient settings.xml, fcconfig, FortiGate SMTP, FortiGate authentication timeout, VPN multi-factor authentication

Видео FortiGate + FortiClient MFA: Email OTP & FortiToken Mobile for Remote Users канала srnetsec