Integrations/VPN & Firewall/fortinet-fortigate-vpn
VPN · SSL-VPN · RADIUS

MFA for Fortinet FortiGate

FortiGate SSL-VPN is one of the most-targeted entry points on the internet — credential-stuffing and leaked passwords turn a single reused login into network access. FortiOS validates VPN users against RADIUS but ships no second factor of its own. Authnull sits in front of that RADIUS exchange and enforces phishing-resistant MFA on every FortiClient and SSL-VPN web login, without replacing FortiAuthenticator or touching your firewall policy. Point the FortiGate at Authnull as a RADIUS server, map your user group, and a push or security-key prompt is required before the tunnel comes up.

At a glance
VendorFortinet
Connects viaRADIUS
ProtectsSSL-VPN & admin login
DeploymentAgentless
Setup time20 minutes
No rip-and-replace — sits in front of your existing setup
How Authnull connects

Fortinet FortiGate forwards the login; Authnull adds the factor.

Fortinet FortiGate
user connects
Authnull
RADIUS
Directory
AD / LDAP
User device
approve factor

FortiOS sends an Access-Request to Authnull; Authnull verifies the primary credential against your directory, issues an Access-Challenge for the factor, then returns Access-Accept. Because it's standard RADIUS, FortiClient needs no changes — just a longer auth timeout so users have time to approve.

Setup

Configure MFA for Fortinet FortiGate

Real steps — the exact menus, fields, and values. Follow along in your console; the whole thing takes about 20 minutes.

1

Add Authnull as a RADIUS server

In FortiOS, create a new RADIUS server pointing at your Authnull connector. Use the shared secret from the Authnull console and set the auth method to PAP.

User & Authentication → RADIUS Servers → Create New
2

Create a matching user group

Add a firewall user group of type Firewall and add the Authnull RADIUS server as a remote group. This is what you will bind to the VPN.

User & Authentication → User Groups → Create New
3

Bind the group to your SSL-VPN

Edit the SSL-VPN settings (or the authentication rule) and assign the new group to the portal so VPN logins authenticate through Authnull.

VPN → SSL-VPN Settings → Authentication/Portal Mapping
4

Raise the RADIUS timeout

Push approval needs more time than a password check. Increase the RADIUS auth timeout from the CLI so the challenge does not expire before the user taps approve.

FortiOS CLI
config system global
  set remoteauthtimeout 60
end
5

Test from FortiClient

Connect with a test account. You should get the primary prompt, then a push or OTP challenge; approving it brings the tunnel up. Check Authnull logs for the Access-Accept.

Reference — connection values
Auth methodPAP
RADIUS port1812 / 1813
remoteauthtimeout60s
NAS attributeNAS-Identifier

Closes the MFA gap auditors look for

Enforcing MFA on Fortinet FortiGate gives you evidence for the remote-access and privileged-access controls in SOC 2 and the access requirements under CCPA — with per-login logs you can hand straight to an assessor.

Related integrations

Browse all
Cisco AnyConnectVPNPalo Alto GlobalProtectVPNSonicWallVPN & FirewallWatchGuardVPN & Firewall

Add MFA to Fortinet FortiGate — free to start.

Spin up Authnull, point Fortinet FortiGate at it, and enforce a factor on a pilot group today. No card, no rip-and-replace.

Get in touch