Skip to main content
Yngve0
Yngve0
New Member
February 17, 2015
Solved

Multiassigment for FortiTokenMobil

  • February 17, 2015
  • 4 replies
  • 22889 views

I consider using Fortitoken TwoFactorAuthentication for both administrative and SSL-VPN-authentication. 

 

So far, so god. But the problem is that I as a sys-admin need both to have a administrative account and a VPN-account on the unit. There are also 5 branch offices with FortiGates where I need administrative account to.

 

And here is the problem; It seems like there are a one2one2one-relationship between accounts, FortiToken and mobile phone. I can only have one FortiToken on my phone and one Fortitoken cannot be assigned to both a VPN-account and a administrative account; neither on the same device or across devices.

 

Any good solutions or workaround here?

 

 

 

 

    Best answer by dred_FTNT

    I recommend you take a look at new FortiToken Cloud service (FTC) available if you are running FOS 6.2 or later.  It is a perfect fit for your scenario.  You can try it anyway for free. (https://ftc.fortinet.com)   With the current version of FTC,  you can use the same token issued by FTC for all your FGT admin instances across multiple FGT devices and VPN user instances across multiple FGT devices/VDOMs as long as the username in the FGT is the same.  

    In an upcoming release we will allow the FTC customer to designate when the same username should be treated as a different FTC user if in multiple FGT/VDOMs.  But, as I said, the current version is tailor made for what you need.  

    4 replies

    xsilver_FTNT
    Staff
    xsilver_FTNT
    Staff
    February 18, 2015

    Hello,

    your observations are almost correct.1. mobile token is bond to license pack, and as any license this pack is via activation process bond to serial number of unit (or cluster) from which was license activated. Therefore you are not allowed to use same mobile token on another unit (unless this other unit is cluster member with original requestor and license holder). Regardless you can copy config parts it will not work as any token management (user assignment etc) is made through FortiGuard/FortiCare global network, which serves as universal meeting point between FortiGate units and mobile devices.

     

    2. with FortiToken Mobile you are not able to assign one token to two entities like local user and admin account. But you can do so with FortiToken 200 or 200-CD model. But this use of 200 model line is limited just to one admin and one user combination, same token cannot be assigned to multiple users at a same time.

     

    3. Solution for same token on multiple FortiGate units is in use of FortiToken 200 or better 200-CD model.

    Model 200 is activated through FortiGuard and once activated the token is locked on FortiGuard by one-time activation lock. No one can activate the same token on another unit, not even from the same unit, unless the lock is administratively released by Fortinet TAC engineer. So you can activate token on FortiGate-A and then via ticket ask for lock release (we need to know  token SN and last activation unit SN (if possible)). After lock is released you will be able to make one another activation on FortiGate-B unit. Repeat release-activate process as many times as needed.

    Model 200-CD has all needed data distributed with the token on media like CD. Therefore the token seed is not stored in any publically accessible database, no online activation and access to FortiGuard is needed, therefore no protective lock applied. You need just the CD and then you can activate the token via CD on any number of FortiGate units.

     

    Hope it's a bit more clear now.

    Yngve0
    Yngve0Author
    New Member
    February 24, 2015

    Hi and thanks for respond. My experience is based on Fortitoken Mobike service on a Fortigate, not the Fortitoken appliance.

     

    As long as I dont can use FortiToken Mobile to secure both administrative access to my whole FGT-enviroment (6 locations) and user/VPN access, the product make no sense for me.

     

    I find this limitation unlocigal and hope this would be solved during development of the product.

     

    Yngve

    xsilver_FTNT
    Staff
    xsilver_FTNT
    Staff
    February 24, 2015

    I'm afraid that this limitation is intended design. It makes environment stronger as single token compromise do not affect whole network.

     

    Multi-host use of token does make sense with hardware tokens, as you are not going to carry whole keyring full of tokens. But mobile token is just app in your telephone and it can contain multiple software tokens, so you still carry one device.

    FTGmaster
    FTGmaster
    New Member
    March 19, 2015

    Hi

     

    It could be useful for us too. We can't buy a fortiautenticator (it's not a smart and economical solution) for a couple or till 4-5 fgt units. We would like that 'fortitoken mobile' could be assign to more than one fortigate.

     

    xsilver_FTNT
    Staff
    xsilver_FTNT
    Staff
    March 19, 2015

    you can definitely get in touch with our sales and open NFR (new feature request), but as I said, mobile token (single token) is part of bundle, that bundle has license SN (serial number), and that bundle SN is (as almost any other license)  bond to SN of the unit where it is used. Only possibility to have a single mobile token license on multiple unit is to cluster the FGT units, then all the members will share the license.

     

    As you can carry multiple mobile tokens inside single fortitoken mobile app (I have some 6 tokens on IOS8), then I do not see any limitation for the tokens and units. Simply has different token on each FGT unit and all of them in single mobile phone app.

    As you would have different tokens then it makes admin access stronger and more secure as if single token get compromised you are not loosing access to all the units, just one is endangered.

     

    If you want singel token an multiple devices and do not want to centralize the access (FortiAuthenticator) then I would go by FortiToken 200 or even 200-CD hardware model. Single token activated on multiple FortiGate units.

    FortiRack_Eric
    FortiRack_Eric
    New Member
    March 20, 2015

    Workaround is connect via SSL-VPN to main unit via token and have a IPsec network to other units.

     

    Otherwise FortiAuth is the way to go. Compared to other solutions it's a really cost effective solution.

    pruch_FTNT
    Staff
    pruch_FTNT
    Staff
    September 23, 2015

    Is there a limit of Tokens which can be integratetd in the mobile App ?

    I have a customer who asks if he can have more then 15 different Tokens inside his mobile App....

     

    Regards

    Patrick

    PaulW
    PaulW
    New Member
    May 23, 2018

    It's an old topic sorry to unearth it ;)

     

    Since 2014 until know no possibility to have one mobile token to multiple fortigate firewall?

    I have to manage more than twenty firewalls around the world, it's not really easy to find which one is the one...

     

    Thanks Paul

    dred_FTNT
    Staff
    dred_FTNTAnswer
    Staff
    May 15, 2019

    I recommend you take a look at new FortiToken Cloud service (FTC) available if you are running FOS 6.2 or later.  It is a perfect fit for your scenario.  You can try it anyway for free. (https://ftc.fortinet.com)   With the current version of FTC,  you can use the same token issued by FTC for all your FGT admin instances across multiple FGT devices and VPN user instances across multiple FGT devices/VDOMs as long as the username in the FGT is the same.  

    In an upcoming release we will allow the FTC customer to designate when the same username should be treated as a different FTC user if in multiple FGT/VDOMs.  But, as I said, the current version is tailor made for what you need.  

      Terms & ConditionsAccessibility statement