Two-factor authentication
To configure two-factor authentication for administrators you will need the following:
l FortiAnalyzer l FortiAuthenticator l FortiToken
Configuring FortiAuthenticator
On the FortiAuthenticator, you must create a local user and a RADIUS client.
Before proceeding, ensure you have configured your FortiAuthenticator, created a NAS entry for your FortiAnalyzer, and created or imported FortiTokens.
For more information, see the Two-FactorAuthenticatorInteroperability Guide and FortiAuthenticator Administration Guide in the Fortinet Document Library.
Create a local user:
- Go to Authentication > UserManagement > Local Users.
- Click Create New in the toolbar.
- Configure the following settings:
| Username | Enter a user name for the local user. | |
| Password creation | Select Specify a password from the dropdown list. | |
| Password | Enter a password. The password must be a minimum of 8 characters. | |
| Password confirmation | Re-enter the password. The passwords must match. | |
| Allow RADIUS authentication | Enable to allow RADIUS authentication. | |
| Role | Select the role for the new user. | |
| Enable account expiration | Optionally, select to enable account expiration. For more information see the FortiAuthenticator Administration Guide. | |
- Click OK to continue to the Change local user
- Configure the following settings, then click OK.
| Disabled | Select to disable the local user. |
| Password-based authentication | Leave this option selected. Select [Change Password] to change the password for this local user. |
| Token-based authentication | Select to enable token-based authentication. |
| Deliver token code by | Select to deliver token by FortiToken, email, or SMS. Click Test Token to test the token. |
| Allow RADIUS authentication | Select to allow RADIUS authentication. |
| Enable account expiration | Optionally, select to enable account expiration. For more information see the FortiAuthenticator Administration Guide. |
| User Role | |
| Role | Select either Administrator or User. |
| Full Permission | Select to allow Full Permission, otherwise select the admin profiles to apply to the user. This option is only available when Role is Administrator. |
| Web service | Select to allow Web service, which allows the administrator to access the web service via a REST API or by using a client application. This option is only available when Role is Administrator. |
| Restrict admin login from trusted management subnets only | Select to restrict admin login from trusted management subnets only, then enter the trusted subnets in the table. This option is only available when Role is Administrator. |
| Allow LDAP Browsing | Select to allow LDAP browsing. This option is only available when Role is User. |
Create a RADIUS client:
- Go to Authentication > RADIUS Service > Clients.
- Click Create New in the toolbar.
- Configure the following settings, then click OK.
| Name | Enter a name for the RADIUS client entry. |
| Client name/IP | Enter the IP address or Fully Qualified Domain Name (FQDN) of the
FortiAnalyzer. |
| Secret | Enter the server secret. This value must match the FortiAnalyzer RADIUS server setting at System Settings > Admin > Remote Authentication Server. |
| First profile name | See the FortiAuthenticator Administration Guide. |
| Description | Enter an optional description for the RADIUS client entry. |
| Apply this profile based on RADIUS attributes | Select to apply the profile based on RADIUS attributes. |
| Authentication method | Select Enforce two-factorauthentication from the list of options. |
| Username input format | Select specific user name input formats. |
| Realms | Configure realms. |
| Allow MAC-based authentication | Optional configuration. |
| Check machine authentication | Select to check machine based authentication and apply groups based on the success or failure of the authentication. |
| Enable captive portal | Enable various portals. |
| EAP types | Optional configuration. |
Configuring FortiAnalyzer
On the FortiAnalyzer, you need to configure the RADIUS server and create an administrator that uses the RADIUS server for authentication.
Configure the RADIUS server:
- Go to System Settings > Admin > Remote Authentication Server.
- Click Create New > RADIUS in the toolbar.
- Configure the following settings, then click OK.
| Name | Enter a name to identify the FortiAuthenticator. |
| Server Name/IP | Enter the IP address or fully qualified domain name of your FortiAuthenticator. |
| Server Secret | Enter the FortiAuthenticator secret. |
| Secondary Server Name/IP | Enter the IP address or fully qualified domain name of the secondary FortiAuthenticator, if applicable. |
| Secondary Server Secret | Enter the secondary FortiAuthenticator secret, if applicable. |
| Port | Enter the port for FortiAuthenticator traffic. |
| Authentication Type | Select the authentication type the FortiAuthenticator requires. If you select the default ANY, FortiAnalyzer tries all authentication types.
Note: RADIUS server authentication for local administrator users stored in FortiAuthenticator requires the PAP authentication type. |
Create the administrator:
- Go to System Settings > Admin > Administrator.
- Click Create New from the toolbar.
- Configure the settings, selecting the previously added RADIUS server from the RADIUS Server dropdown list. See Creating administrators on page 224.
- Click OK to save the settings.
Test the configuration:
- Attempt to log in to the FortiAnalyzer GUI with your new credentials.
- Enter your user name and password and click Login.
- Enter your FortiToken pin code and click Submit to log in to the FortiAnalyzer.