Created on 10-25-2024 02:52 AM Edited on 12-19-2024 12:36 AM By Anthony_E
Description | This article describes whether the same OTP can be used on multiple devices at the same time or not. |
Scope | FortiAuthenticator. |
Solution |
Expectations, Requirements. FortiAuthenticator as RADIUS server, 2 FortiGates as RADIUS client (can be any other RADIUS client).
Configuration: User configuration on FortiAuthenticator with 2FA (FortiMobile Token).
User group:
FortiAuthenticator is configured as RADIUS Server for 2 FortiGates as clients:
RADIUS policies need to make sure that the above RADIUS clients are part of the same policy.
Make sure to enable the 'Radius Auth' on the respective interface on Authenticator:
Configure the RADIUS on both FortiGates as below:
config user radius
User Group configuration:
config user group
Admin user configuration:
config system admin
Repeat the similar configuration on another FortiGate.
Verification: Try to authenticate on both FortiGates using the user 'test12', the user will get an OTP prompt and enter the OTP on the first FortiGate, the user will successfully log to the FortiGate, then immediately try to enter the OTP on the second FortiGate, and the user will not be able to log in.
Find the below logs from the authenticator for working and not working login attempts.
Working:
Conclusion: The Token generates a one-time password (OTP), which becomes invalid after use and cannot be reused. If the user attempts to use the same Token code again, an error will occur because the previous OTP has already been consumed. Users need to wait for the next Token and authenticate. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.