Please enable JavaScript.
Coggle requires JavaScript to display documents.
Day 19 – User Authentication & Two-Factor Authentication (2FA) -…
Day 19 – User Authentication & Two-Factor Authentication (2FA)
Administrator Access Control
What is Administrator Access Control
Controls who can log in to FortiGate
Protects firewall management plane
Why It Is Important
Firewall controls entire network
Prevents unauthorized configuration changes
Protects logs and security policies
Access Control Methods
Limit management access to trusted IPs
Role-Based Access Control (RBAC)
Strong passwords and authentication
Enable logging of admin activities
Local Administrator Accounts
What are Local Accounts
Stored directly on FortiGate
No external dependency
Common Local Admin Roles
Super Admin – full access
Read-only Admin – view only
Custom Admin – limited permissions
Advantages
Simple configuration
Useful for emergency access
Best Practices
Use strong passwords
Limit number of super admins
Enable 2FA
Remote Server Accounts
What are Remote Authentication Servers
External systems for authentication
Centralized identity management
LDAP Authentication
Uses Active Directory or LDAP server
Group-based access control
RADIUS Authentication
FortiGate sends authentication request to RADIUS server
Server validates credentials
Use Cases
Administrator authentication
SSL VPN users
Wi-Fi and firewall user authentication
Benefits
Centralized user management
Easy onboarding and offboarding
Scales well for large organizations
Authentication Policies
What are Authentication Policies
Force users to authenticate before accessing resources
Active Authentication
User is redirected to login page
User manually enters credentials
Common for web access and captive portals
Passive Authentication
User authenticated automatically
No login prompt
Uses AD login information
Active vs Passive Authentication
Active – visible and interactive
Passive – transparent to user
Two-Factor Authentication (2FA)
What is 2FA
Combines two authentication factors
Password plus token or mobile device
Why 2FA is Important
Protects against stolen passwords
Prevents unauthorized access
Where 2FA is Used
Administrator login
SSL VPN access
Firewall user authentication
Security Benefits
Strong defense against brute-force attacks
Improves overall security posture
FortiToken
What is FortiToken
Fortinet One-Time Password solution
Used for 2FA
Time-Based OTP
OTP changes every 30 or 60 seconds
Based on synchronized system time
FortiToken Mobile
Mobile app-based token
No hardware token required
Push Notifications
Login approval sent to mobile device
User approves or denies access
Where FortiToken Is Used
Admin GUI and SSH access
SSL VPN authentication
User authentication policies
NTP Server Importance
What is NTP
Network Time Protocol
Synchronizes time across devices
Why NTP Is Critical for 2FA
OTP depends on accurate time
FortiGate and token must match time
Issues Without Proper NTP
OTP authentication failure
Users cannot log in
2FA appears broken
Best Practices
Configure reliable NTP servers
Use multiple NTP sources
Monitor time synchronization