Created on
08-05-2019
01:52 AM
Edited on
11-05-2023
09:35 PM
By
Anthony_E
Description
This article describes how the FortiToken Push feature works with FortiAuthenticator and Apple/Android-based devices, the configuration requirements, and the workflow on FortiAuthenticator when a user authenticates.
Useful link: FortiAuthenticator Documentation.
Solution
In cases where PUSH token notifications are desired, a setup needs to be done on FortiGate (or a 3rd party device capable of RADIUS Access-Challenge), pointing to FortiAuthenticator as the RADIUS server.
In FortiOS, this would include a user group with the RADIUS server object as a member and the FortiAuthenticator configured as a RADIUS server entry.
Any 3rd party RADIUS client needs the same settings enabled on FortiAuthenticator.
The following needs to be configured on FortiAuthenticator (Setup):
In older versions: 'Authentication -> Radius Service -> Clients'.
The profile for the client system has to have 'Enable FortiToken Mobile push notification authentication' activated. Otherwise, FortiAuthenticator will not send push notifications to Apple/Android servers.
In newer versions: 'Authentication -> Radius Service -> Policy'.
The RADIUS policy needs to have push notification enabled in the tab 'Authentication factors' under 'Advanced Settings' (this should be the case by default).
Ensure push reply can reach FortiAuthenticator.
'System -> Administration -> System Access'
Here the 'Public IP/FQDN for FortiToken Mobile' can be set to a public IP and port.
This is NOT the IP and port combination set on FortiAuthenticator itself; this is the public IP/FQDN to which the push reply should be sent.
In the case where the FortiAuthenticator is behind the NAT device, this setting makes the FortiAuthenticator aware of the public IP and port used by the NAT device to translate into the FortiAuthenticator IP and port.
FortiAuthenticator will include this setting as a reply-to address in the push notification, so the FortiToken mobile app knows where to send the reply.
For example NAT device has VIP/port-forwarding, or a similar feature, configured with public IP 3.3.3.3 and port 34443. FortiAuthenticator’s actual interface port1 has 192.168.1.99:443. Set this Public IP and port to 3.3.3.3:34443 to ensure proper communication according to above mentioned translation.
Note:
If FortiAuthenticator is connected directly to the Internet, this setting is not necessary as FortiAuthenticator is reachable itself and there is no NAT translation in the middle; the reply will be sent to the FortiAuthenticator's outgoing interface IP.
Enable push notifications on the interface.
The destination interface on FortiAuthenticator where the traffic arrives (as port1 with 192.168.1.99 in the above example) has to have 'FortiToken Mobile API (/api/v1/pushauthresp, /api/v1/transfertoken)' enabled. This can be set under 'System -> Network -> Interfaces'; select and edit the appropriate interface.
With this configuration, FortiAuthenticator is primed for push notifications.
It is now up to the client to initiate push notifications.
The process is as follows:
Once FortiAuthenticator is prompted for push notification, then this is a work-flow of the notification being sent:
Once Approved or Denied, FortiToken Mobile app establishes TLS encrypted and signed communication directly with FortiAuthenticator, based on the FortiAuthenticator's interface IP OR the 'Public IP/FQDN for FortiToken Mobile' setting. The mobile app receives this information (where to send the reply) as part of the notification.
Once the connection is established, the app sends either the OTP token or a deny response, to FortiAuthenticator automatically.
When a response from the FortiToken Mobile app is received, RADIUS Access-Accept (Approve) or Access-Reject (Deny) is sent from FortiAuthenticator to the RADIUS client.
If the user has any AVP directly set or inherited from group membership, then those are sent as well (Note: that does not apply to users whose 'User Role' on FortiAuthenticator is Administrator or Sponsor. There are no AVPs sent for such users, even if they have 'Allow RADIUS Authenitcation' enabled; this setting is disabled by default).
Example Access-Accept:
Related Article:
Technical Tip: How to transfer FortiToken mobile.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.