Skip to main content
Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
January 31, 2022
Solved

FortiToken Mobile for multiple FortiGate servers

  • January 31, 2022
  • 2 replies
  • 9598 views

Does anyone know if one FortiToken Mobile app with two or more FortiGates for SSL VPN is possible? I mean WITHOUT FortiAuthenticator.
We have mulitiple SSL VPN entry points in our nation-wide network. But now we want to use FortiToken Mobile. The gotcha is we don't have FortiAuthenticator for remote authentication. So we need to buy multiple tokens for all FortiGates. But I'm not sure if this even works with one smartphone per user.

 

Toshi

Best answer by Toshi_Esumi

I just wanted to update what kind of answers I got through Reddit when I posted the same question there. I hope this is not violating the policy of this forum.

 

Direct answer to my question was "Yes, one app can handle multiple tokens from multiple FortiGates". One guy even shared me his app's screenshot for two FGTs. And futher, another guy recommended FortiToken Cloud, which seems to accommodate multiple Fortigates for the same token, which might be ideal for us. I need to learn how each option would work including with FortiAuthenticator.

2 replies

Toshi_Esumi
SuperUser
Toshi_EsumiAuthorAnswer
SuperUser
February 1, 2022

I just wanted to update what kind of answers I got through Reddit when I posted the same question there. I hope this is not violating the policy of this forum.

 

Direct answer to my question was "Yes, one app can handle multiple tokens from multiple FortiGates". One guy even shared me his app's screenshot for two FGTs. And futher, another guy recommended FortiToken Cloud, which seems to accommodate multiple Fortigates for the same token, which might be ideal for us. I need to learn how each option would work including with FortiAuthenticator.

Debbie_FTNT
Staff & Editor
Debbie_FTNT
Staff & Editor
February 1, 2022

If you have questions about FortiAuthenticator, you are welcome to let me know, I deal a lot with that product :)

Not so much with FortiToken Cloud, but I can provide a little info on that as well.

Toshi_Esumi
SuperUser
Toshi_EsumiAuthor
SuperUser
February 1, 2022

I heard a Win AD could be put behind FAC. But we don't want to do that and use FAC only for FortiToken 2nd factor part. It's possible, right? I'm guessing it has more features and of course multi tenancy would be one of them.

Debbie_FTNT
Staff & Editor
Debbie_FTNT
Staff & Editor
February 3, 2022

If you want to use FAC for 2FA part, and user credentials are in AD, you would essentially use FAC as proxy to AD:

-> authenticate users to FAC via RADIUS

-> FAC forwards user credentials to AD for checking

-> if AD returns an 'OK', FAC asks for the token or sends push notification (FAC can also be set to ask for token even if credentials are invalid, to avoid giving away information)

-> once this is successful, FAC sends 'OK' to FGT
-> user is authenticated
There are options to authenticate via SAML instead of RADIUS, to chain authentication to another proxy, integrate FAC with FSSO (it can act as Collector Agent) and a number of other features

    Toshi_Esumi
    SuperUser
    Toshi_EsumiAuthor
    SuperUser
    February 3, 2022

    So you're saying it's not possible to keep current remote authentication method with like other 3rd party RADIUS (could be freeRADIUS) or TACACS+, which we use for a subset of SSL VPN users, which FortiToken Mobile use FAC, and all FGTs asks the same to FAC. Correct? We need this ONLY for SSL VPN 2nd Factor auth. We won't use for any SSOs.

    Terms & ConditionsAccessibility statement