Skip to main content
cbabfat
cbabfat
Visitor III
May 5, 2017
Solved

Push Authentication

  • May 5, 2017
  • 2 replies
  • 27068 views

What firewall ports are used for push authentication?

We use Cisco AnyConnect and use the FortiAuth for 2 factor.  If the users phone is on the corporate network, then it will communicate with the FortiAuthenticator for 2 factor with push messages.  If the phone is connected to the public network, then it fails.  Where are the server name settings specified that the app is going to use to communicate back to the Authenticator?

 

SOMEBODY has to have the detailed process.  My support ticket has been open for over a week with no response.

 

Chris

    Best answer by cbabfat

    This is what I got:

     

    Hi,  Sorry for the delay. FortiToken Mobile (FTM) push authentication does not work when the port "Public IP/FQDN for FortiToken Mobile" in System > Administration > System Access is changed to anything besides 443 (e.g. 10443).  If FAC is behind an upstream device kindly make sure to forward the ports 2195, 5223 and 2196 to FAC IP. 

    2 replies

    emnoc
    emnoc
    New Member
    May 5, 2017

    I believe it's  via HTTPS,you could easily diagnose the by doing  capture from the FA to the phone while on-network. 

     

    tanr
    tanr
    New Member
    May 6, 2017

    I think they use TCP 2196 (Apple/Android push services) per https://forum.fortinet.com/tm.aspx?m=146690.

    make
    make
    New Member
    June 13, 2017

    Hi Chris,

     

    i have the same problem. Have you received any answers from Fortinet Supprort or have you found a solution?

    cbabfat
    cbabfatAuthorAnswer
    Visitor III
    June 13, 2017

    This is what I got:

     

    Hi,  Sorry for the delay. FortiToken Mobile (FTM) push authentication does not work when the port "Public IP/FQDN for FortiToken Mobile" in System > Administration > System Access is changed to anything besides 443 (e.g. 10443).  If FAC is behind an upstream device kindly make sure to forward the ports 2195, 5223 and 2196 to FAC IP. 
    guillaume66
    guillaume66
    New Member
    July 21, 2017

    hi

    anybody managed to use the push feature ?

     

    i managed using FAC 4.3.0 build 222 sending ios push to phone

    on the phone click on Approve reply with a "request approved" message

    but i am not sure how FAC will notify my radius client that auth has been approved

     

    my setup (LAB)

    - VM FAC4.3.0 build 222 (i tried to upgrade to 5.0.0 with actual config being migrated, but push was not working anymore, to be tested once again later)

    - ios fortitoken mobile 4.1.1 (up to date)

    - radius client = NTRadPing, with FTM push authentication enabled on this radius client.

     

    i did some wireshark on ntradping pc :

    Here are the steps :

    - access-request from ntradping to FAC (OK)

    - access-challenge from FAC to ntradping (OK)

    - i receive the push on phone (set from FAC to apple servers on port tcp/2195)

    - i accept on phone (sending the reply to FAC via the configured IP and port in FAC (menu described by cbabfat)

    - nothing more ... no access-accept received from FAC to NTRadping (even using wireshark ...)

     

    If i do the same using ntradping but sending back the token code via mtradping, i can see access-accept from FAC to NTRadping : auth is working fine (be aware of a small trick in ntradping to send the tokencode back : https://support.secureauth.com/hc/en-us/articles/115000594347-How-To-Test-RADIUS-Using-NTRadPing )

     

    anyone using this FAC PUSH feature ?

    anyone using this with FGT, or other devices not fortinet like ssl gateway 3rdparty ?

     

    thanks,

    regards,

    Guillaume

    Terms & ConditionsAccessibility statement