Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
Somashekara_Hanumant
Staff
Staff

Created on ‎10-25-2024 02:52 AM

Article Id 352575

Technical Tip: FortiAuthenticator FortiMobile token OTP using on multiple devices at the same time

Description This article describes whether the same OTP can be used on multiple devices at the same time or not.
Scope FortiAuthenticator.
Solution

Expectations, Requirements.

FortiAuthenticator as RADIUS server, 2 FortiGates as RADIUS client (can be any other RADIUS client).

 

Configuration:

User configuration on FortiAuthenticator with 2FA (FortiMobile token).

 

user_token.png

 

User group:

 

user_group.png

 

FortiAuthenticator is configured as RADIUS Server for 2 FortiGates as clients:

 

radius_client.png

 

RADIUS policies need to make sure that the above RADIUS clients are part of the same policy.

 

radius_client1.png

 

radius_client2.png

 

radius_client3.png

 

radius_client4.png

 

Also, make sure to enable the 'Radius Auth' on the respective interface on Authenticator:

 

interface_fac.png

 

Configure the RADIUS on both FortiGates as below:

 

FGT_radius.png

 

config user radius
    edit "win_rad"
        set server "10.0.20.120"
        set secret ENC QuWAo4o
    next
end

 

User Group configuration:

 

user_group_fgt.png

 

config user group
    edit "radis_gp"
        set member "win_rad"
            config match
                edit 1
                    set server-name "win_rad"
                    set group-name "SSLVPN_Group"
                next
            end
    next
end

 

Admin user configuration:

 

system_admin.png

 

config system admin
    edit "rad_usr"
        set remote-auth enable
        set accprofile "super_admin"
        set vdom "root"
        set wildcard enable
        set remote-group "radis_gp"
    next
end

 

Repeat the similar configuration on another FortiGate.

 

Verification:

Try to authenticate on both FortiGates using the user 'test12', the user will get an OTP prompt and enter the OTP on the first FortiGate, the user will successfully login to the FortiGate, then immediately try to enter the OTP on the second FortiGate, and the user will not be able to log in.

 

Find the below logs from the authenticator for working and not working login attempts.

 

Working:

 

logs.png

 

logs_failed.png

 

Conclusion:

The token generates a one-time password (OTP), which becomes invalid after use and cannot be reused. If the user attempts to use the same token code again, an error will occur because the previous OTP has already been consumed. Users need to wait for the next token and authenticate.

 

105
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.