Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

morjo
New Contributor

Fortiauthenticator and cisco anyconnect

Hi.
We are using cisco anyconnect for remote access, right now we are using clearpass username and password (radius) and duo for 2fa (radius)

But i would like to use our new Fortiauthenticator for do the 2fa, i just changed to second radius auth. to the FAC and setup a radius client with a radius poilcy.

It works right now with the token mobil code but not with the push notification, the white papers im reading says that the secound password should be empty but then the FAC give a token code wrong.

Any ideas? 

Think about using the FAC for both first auth and secound auth if that works better.

Morten
7 REPLIES 7
dred_FTNT
Staff
Staff

For third party RADIUS Client, FAC needs to see the string "push" in the password field of the RADIUS Access request to trigger FTM push.   It will also work if FAC sees an empty password field but even if there is no user input in response to the RADIUS Access Challenge, we have seen that virtually every NAS/RADIUS Client either doesn't allow blank password field or returns some characters in that field.   So, if the NAS/RADIUS Client is capable of returning "push", FTM push will be triggered.  

How FAC is designed to trigger a push to FTM in response to a RADIUS Access Request from FOS (or other RADIUS client that can support this) is as follows:
FAC issues a challenge whose message begins with a "+" when the user has a push-capable token, a "-" when they do not:
eg) "+Enter token code or no code to send a notification to your FortiToken Mobile"
The exact string can be customized by customer, but not the prefix. The presence of the "+" can be used to automatically trigger the challenge-response that sends the push.
David Redberg Fortinet Product Manager
morjo

Hi David.

Thx for the answer, im trying to tshoot it, cause the only error i get is wrong token code, even if i keep the 2. password blank or type in push in the field, its hard to tshoot cause i cant see the password in the radius :) i'll try to find some whitepaper on how the anyconnect client sends the 2. password, cause it works with our current 2fa (duo)
jcherpeski
New Contributor

We are looking at doing the same thing, but we can't even get the mobile code to work. What white papers have you found?
morjo

Hi, didn't use any white paper, found out myself on the token code.

What kind of error do you get?

try typing the https:\\ip_address\debug in the browser and the go to push and see what message you get.

And nothing new on the push part of the anyconnect, we are gonna make a tac case on that.

Morten
dred_FTNT

the NAS Client (i.e Cisco ASA) needs to recognize the RADIUS AVP 18 in the RADIUS Access-challenge and then returns in RADIUS Auth request  the string "Push" as a password to FAC. This is used to initiate a session to Apple or Google push server for sending the push notification to the client.

David Redberg Fortinet Product Manager
jcherpeski

David, where is that at? On the ASA, the AnyConnect or the FAC?
dred_FTNT

RADIUS Challenge is sent by the RADIS server, which is the FAC in this case
David Redberg Fortinet Product Manager
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.