Skip to main content
Daniel__
Daniel__
New Member
September 19, 2018
Question

Chained token authentication with remote RADIUS server

  • September 19, 2018
  • 1 reply
  • 6511 views

 

So, I have a bit of a dilemma, this is the fact that the Fortiauthenticator does a good job in authenticating and all and I am trying to increase the OTP possibilities by introducing the chained authentiaction from the same radius source.

 

I have a Radius source that I would like to use Chained Auth, but this source is already set up (with ip) doing AD authentication and OTP forced. 

 

If I change the setting to chained authentiaction, the FortiAuthentiactor will require two OTPs, this is not what I want

If I remove the force and set it to apply two factor if available, the user with no Token will get forwarded to the chained auth and all is good. However users that have a token will still get both OTP as a requirement.

 

So the question quicklty becomes if there is a way to mix these settings?

 

    1 reply

    xsilver_FTNT
    Staff
    xsilver_FTNT
    Staff
    September 19, 2018

    Well, I'm a bit confused.

    It seems to me you already have 2FA via OTP (probably on FortiAuthenticator {FAC} and so probably via FortiToken of some sort), and now you want to get rid of 2FA on FAC because you desperately want to use 'chained' authentication to the source which now offer OTP 2FA as well ? Sorry but this make a little sense to me, unless you do not have tokens for all users on FAC, so you would need to acquire (purchase) some, and that other source offer tokens cheaper or for free.

     

    So how about to set that source with secondary IP to be able to define it as possible source for chained auth?

    And so how about to distinguish between users who will use 2FA from FAC and those who use the other OTP source, all that via for example group membership filter in RADIUS Client, or via RADIUS Client profiles. Or disable even possible use of 2FA on FAC, even if user has token, and move all the users to that other OTP source and do the chaining for all of them. Or simplify your life by purchasing a bundle of FortiToken Mobile tokens and extend what you already have ready, tested and working. There certainly are possibilities.

    Daniel__
    Daniel__Author
    New Member
    September 20, 2018

    The FortiAuthenticator does a good job in AD Authentication, supporting password change over FortiClient and other neat things, the FortiToken Mobile works well and all that goodness.

     

    What it does not do well is supporting third party Tokens (except for Yubikey in TOTP mode) and this would be good to have in my case as there are already a bunch of Token variants present in the Organisation. 

     

    I sorted it with different profiles on the Radius Clients, some realms doing chained auth and the others not

    rpedrica
    rpedrica
    Visitor III
    July 27, 2019

    @Daniel Could you give an example of your config for chained auth?

    Terms & ConditionsAccessibility statement