Multi-Factor Authentication (2FA/MFA) for Fortinet FortiMail – RADIUS

Last updated on September 1, 2025

Overview of MFA for Fortinet FortiMail

This documentation describes how to integrate Rublon MFA with Fortinet FortiMail using the RADIUS protocol to enable multi-factor authentication for logins to FortiMail.

Supported Authentication Methods

Authentication Method	Supported	Comments
Mobile Push	✔	N/A
WebAuthn/U2F Security Key	–	N/A
Passcode	✔	N/A
SMS Passcode	–	N/A
SMS Link	✔	N/A
Phone Call	✔	N/A
QR Code	–	N/A
Email Link	✔	N/A
YubiKey OTP Security Key	✔	N/A

Before You Start Configuring MFA for Fortinet FortiMail using RADIUS

Before configuring Rublon MFA for Fortinet FortiMail:

• Ensure you have prepared all required components.
• Create an application in the Rublon Admin Console.
• Install the Rublon Authenticator mobile app.

Required Components

1. User Identity Provider (IdP) – You need an external Identity Provider, such as FreeRADIUS or Microsoft NPS.

2. Rublon Authentication Proxy – Install the Rublon Authentication Proxy if you have not already, and configure the Rublon Authentication Proxy as an RADIUS proxy.

3. Fortinet FortiMail  – A properly installed and configured Fortinet FortiMail v7.0, v7.2, v7.4, v7.6, or newer.

Create an Application in the Rublon Admin Console

1. Sign up for the Rublon Admin Console. Here’s how.

2. In the Rublon Admin Console, go to the Applications tab and click Add Application. 

3. Enter a name for your application (e.g., FortiMail) and then set the type to Rublon Authentication Proxy.

4. Click Save to add the new application in the Rublon Admin Console.

5. Copy the values of System Token and Secret Key of the newly created application. You will need them later.

Install Rublon Authenticator

Some end-users may use the Rublon Authenticator mobile app. So, as a person configuring MFA for Fortinet FortiMail, we highly recommend you install the Rublon Authenticator mobile app, too. Thanks to that, you will be able to test MFA for Fortinet FortiMail via Mobile Push.

Download the Rublon Authenticator for:

• Android
• iOS
• HarmonyOS

Configuring Multi-Factor Authentication (MFA) for Fortinet FortiMail using RADIUS

Rublon Authentication Proxy

Edit the Rublon Auth Proxy configuration file and paste the previously copied values of System Token and Secret Key in system_token and secret_key, respectively.

2. In RADIUS proxy server settings, set force_message_authenticator to false. (This is because Fortinet FortiMail currently does not validate the Message-Authenticator attribute in RADIUS responses.)

3. Config example file in YAML:

log:
  debug: true

rublon:
  api_server: https://core.rublon.net
  system_token: YOURSYSTEMTOKEN
  secret_key: YOURSECRETKEY

proxy_servers:
- name: RADIUS-Proxy
  type: RADIUS
  radius_secret: YOURRADIUSSECRET
  ip: 0.0.0.0
  port: 1812
  mode: standard
  auth_source: RADIUS_SOURCE_1
  auth_method: push, email
  rublon_section: rublon
  force_message_authenticator: false

auth_sources:
- name: RADIUS_SOURCE_1
  type: RADIUS
  ip: 192.0.2.10
  port: 1812
  radius_secret: YOURRADIUSSECRET
  timeout: 10
  retries: 3

FortiMail

Creating a RADIUS Profile

1. Log in to the FortiMail admin panel.

2. Select View (eye icon) in the upper-right corner and change it from Simple to Advanced.

3. Go to Profile → Authentication → RADIUS and select New….

4. Fill in information about a new RADIUS Server and select Create to create the server. Refer to the following image and table. Keep the default values of options not listed in the table.

Name	An easily recognizable name for your RADIUS server.
Server name/IP	The IP Address of the Rublon Auth Proxy.
Server port	1812 (Default for RADIUS)
Protocol	Password Authentication
NAS IP/Called station ID	0.0.0.0
Server secret	The RADIUS Secret shared between Rublon Auth Proxy and Fortinet FortiMail (the same you set in Rublon Auth Proxy’s config file’s radius_secret)

Enabling MFA for Administrators

1. Go to System → Administrator → Administrator and select New… (or double-click an existing admin to edit).

2. Fill in information about a new administrator and select Create to add that admin (or OK to edit an existing admin). Refer to the following image and table. Keep the default values of options not listed in the table.

Administrator	Enter a name for the administrator. Make sure this name is the same as the name in the Identity Provider (IdP).
Authentication type	RADIUS
RADIUS profile	The profile you have previously created.

Enabling MFA for Users

If you are using FortiMail in Server mode, you should also enable multi-factor authentication for users accessing FortiMail.

1. Go to Domain & User → Domain and select New… (or double-click an existing domain to edit).

2. Enter the Domain name if you are creating a domain.

3. In User profile, select the RADIUS profile you have previously created.

4. Select Create or OK to save changes.

Adjusting Timeout

The default authentication timeout is short, so you need to increase it to have more time to confirm the second factor from Rublon. This can be done via CLI Console using the following commands:

config system global
set remote-auth-timeout 60
end

Testing Multi-Factor Authentication (MFA) for Fortinet FortiMail Integrated Via RADIUS

This example portrays logging in to Fortinet FortiMail with Rublon Multi-Factor Authentication. Mobile Push has been set as the second factor in the Rublon Authentication Proxy configuration (AUTH_METHOD was set to push).

1. Log in to FortiMail as a user by entering your name and password and clicking Log In.

2. Rublon will send a Mobile Push authentication request to your phone. Tap APPROVE.

3. You will be logged in to Fortinet FortiMail.

Troubleshooting MFA for Fortinet FortiMail Using RADIUS

If you encounter any issues with your Rublon integration, please contact Rublon Support.

Related Posts

Rublon Authentication Proxy

Rublon Authentication Proxy – Integrations