Technical Tip: Push Notifications

Push notification is a feature designed for FortiToken Mobile (FTM) and FortiToken Cloud (FTC) to ease the process of entering the OTP for users by sending a notification to the FortiToken Mobile App to Approve/Deny the OTP request.

Traffic flow for FTM Push for imported FortiTokens on FortiAuthenticator is as follows

1. User enters the credentials in the login platform and proceeds with Login/Connect to the next step where the user is asked to enter the OTP. At the same time, the FortiAuthenticator will trigger the push process by sending a request to the Fortinet Push Proxy server (push.fortinet.com), which is then forwarded to the Apple/Google server based on the OS of the user’s Mobile Device.
   
   
2. A notification will show up on the user’s device which has information about username, time of request, and Client Application (which is configurable on the FortiAuthenticator).
   
   Also, this request contains the IP/FQDN of the FortiAuthenticator specified in the FortiAuthenticator System Settings as the destination (which is not visible to the user).
   
   
3. As soon as the user selects approve/deny, the response will be sent directly to the destination of FortiAuthenticator to complete the authentication process.
   
   

The traffic and workflow of FortiToken Cloud assigned tokens differ slightly, as the mobile phone sends the push notification back to the FortiToken Cloud server, which then forwards it to the FortiAuthenticator.

Traffic flow for FTC-assigned FortiTokens on FortiAuthenticator is as follows:

1. User enters the credentials in the login platform and proceeds with Login/Connect to the next step where the user is asked to enter the OTP. At the same time, the FortiAuthenticator will trigger the push process by sending a request to the FortiToken Cloud server (ftc.fortinet.com:8686), which is then forwarded to the Apple/Google server based on the OS of the user’s Mobile Device.
   
   
2. A notification will show up on the user’s device which has information about username, time of the request, and Client Application (which is configurable on the FortiAuthenticator).
   
   
3. As soon as the user selects approve/deny, the response will be sent to the FortiToken Cloud Server directly, which will then send a confirmation, to complete the authentication process.

Requirements:

• The login client (portal) should support push. Supported clients among Fortinet products include:
  • FortiClient (6.4.x, 7.0.x, 7.2.x and the recent 6.2.x).
  • FortiGate Admin and VPN web portal.
  • FortiAuthenticator Captive/Self Service/Admin GUI/SAML idP portals.
  • FortiManager/FortiAnalyzer Admin GUI.
  • FortiAuthenticator v6.x.
• Internet Access for the FortiAuthenticator.
• FortiAuthenticator must be reachable from a Mobile device.

Configuration:

1. On the FortiAuthenticator, enable the FortiToken Mobile service under System -> Network -> Interfaces.

2. Configure an IP/FQDN and a port (if the external port is different from 443):

If the user’s Mobile Device is not on the local network, it will be necessary to set the WAN Public IP/FQDN of the Firewall and create a VIP policy for inbound traffic of the Mobile App to the FortiAuthenticator:

3. If push is used for RADIUS Authentication or Portal Authentication (Captive/Self Service portal), then it will be necessary to enable the option 'Allow FortiToken Mobile push notifications' under the Authentication > RADIUS Service > Policies -> Authentication factors -> Advanced options.

Note 1: Push is enabled by default for Admin GUI, SAML idP and Legacy Self Service portal and cannot be disabled.

Note 2: To enable push notification for the FortiAuthenticator Windows Agent, enable the option 'Allow Push Notification' on the Agent configuration:

Troubleshooting Push issues:

1. Check if a push notification pops up on the mobile app:

• If YES, go to step 6.
• If NOT, go to step 2.

2. Verify in the FortiAuthenticator debug logs if the push was initially triggered and if the push was sent out:

https://<FortiAuthenticator IP>/debug/radius/
In the RADIUS Authentication debug, there should be an Access-Challenge that was processed, either towards the RADIUS client or to another internal FAC service (from 127.0.0.1 to 127.0.0.1):

2022-12-20T10:33:14.373885+01:00 FortiAuthenticator radiusd[9502]: (69) Sent Access-Challenge Id 7 from 10.0.0.253:1812 to 10.0.0.254:13452 length 0
2022-12-20T10:33:14.373890+01:00 FortiAuthenticator radiusd[9502]: (69) Reply-Message = "+Enter token code or no code to send a notification to your FortiToken Mobile"

Once this is sent, the RADIUS client should respond with an Access-Request with the username but with an empty password attribute, which will trigger the sending of the push notification:

2022-12-20T10:33:14.385390+01:00 FortiAuthenticator radiusd[9502]: (70) facauth: This is a response to Access-Challenge
2022-12-20T10:33:14.385394+01:00 FortiAuthenticator radiusd[9502]: (70) facauth: Partial auth user found
2022-12-20T10:33:14.385453+01:00 FortiAuthenticator radiusd[9502]: (70) facauth: Request contains FTM push trigger
2022-12-20T10:33:14.385458+01:00 FortiAuthenticator radiusd[9502]: (70) facauth: Sending FTM push notification
2022-12-20T10:33:14.385461+01:00 FortiAuthenticator radiusd[9502]: (70) facauth: Initiate push_auth for vpntest @ mttest
2022-12-20T10:33:14.386746+01:00 FortiAuthenticator radiusd[9502]: (70) facauth: initiate_push_auth done: session_id=46f753c4a08e4c27a86278e29d4f1582
2022-12-20T10:33:14.386751+01:00 FortiAuthenticator radiusd[9502]: (70) facauth: Partial auth user is pending FTM push auth
2022-12-20T10:33:14.386754+01:00 FortiAuthenticator radiusd[9502]: (70) facauth: Successfully found partially authenticated user instance.
2022-12-20T10:33:14.387058+01:00 FortiAuthenticator radiusd[9502]: (70) facauth: check_user_lockout: fail_count=0 period=-1 reason=-1
2022-12-20T10:33:14.387062+01:00 FortiAuthenticator radiusd[9502]: (70) facauth: Hold request to wait for FTM push notification reply (request will be dropped after 60 sec)
2022-12-20T10:33:14.387101+01:00 FortiAuthenticator radiusd[9502]: (70) facauth: Updated auth log 'vpntest@mttest': Windows AD user authentication partially done (chosen FTM push notification), expecting FortiToken

https://<FortiAuthenticator IP>/debug/push-service/

The FortiAuthenticator Push service has its own log, where this will be processed further, by verifying the same session_id is present, and to which exact FortiToken FTKMOBxxxxx serial number is this sent to:

2022-12-20T10:33:14.385759+01:00 FortiAuthenticator pushd[1334]: MAIN: Accepted client connection from [('127.0.0.1', 49640)]
2022-12-20T10:33:14.391324+01:00 FortiAuthenticator pushd[1334]: Broker: Deliver push task to job queue. At position[1]
2022-12-20T10:33:17.885823+01:00 FortiAuthenticator pushd[1334]: Worker[0]: This registration ID has been found locally [dNGLnp6zCWQ:APA91bF-qE6LDIDUonOifXx4VSiZ9arZlnA86SB5A320L6e_VD3e_sKZOiKNv0EWj2HpxneX1KVVm6buA3LjjH2L3iszU-jNU9Ky0vyrKxLUkqVdQKBNUOgmPxuBdpS6JcwGG8ZHDd5B]
2022-12-20T10:33:18.828645+01:00 FortiAuthenticator pushd[1334]: Worker[0]: Sending push message[46f753c4a08e4c27a86278e29d4f1582] to User[vpntest] with FTM2[FTKMOBXXXXXXXXX] with device token[xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx]...
2022-12-20T10:33:18.855202+01:00 FortiAuthenticator pushd[1334]: Worker[0]: Pushed 46f753c4a08e4c27a86278e29d4f1582-vpntest to remote server.
2022-12-20T10:38:34.778014+01:00 FortiAuthenticator pushd[1334]: MAIN: Stats: workers=1 queue_size=0
2022-12-20T10:38:34.778056+01:00 FortiAuthenticator pushd[1334]: MAIN: Worker[0] worked on last task at 2022-12-20 09:33:14.974552

3. Depending on the login portal/client, take the appropriate steps:

• FortiAuthenticator Windows Agent: make sure 'Allow Push Notification' is enabled on the Agent.
• RADIUS client (e.g. FortiGate VPN): make sure 'Allow FortiToken Mobile push notifications' is enabled under the RADIUS policy; verify additionally in the RADIUS Authentication debug if the request was processed by the correct/expected RADIUS policy.
• Self Service/Captive portal: make sure 'Allow FortiToken Mobile push notifications' is enabled under the portal policy.
• Third-party Apps: check with the vendor to see if the application supports pushover Radius.

4. Test FortiAuthenticator DNS by running ' execute nslookup push.fortinet.com” from the FortiAuthenticator CLI (SSH session).

5. Check if the FortiAuthenticator establishes a TLS connection with the Fortinet push server:

• Run a packet capture from the GUI or CLI (execute tcpdumpfile).
• Test push through the GUI login, VPN, etc.
• Open the pcap file and look for the DNS query on push.fortinet.com, then look for a TLS connection to Push servers:

6. If a push notification pops up on the mobile app but the response does not go back to FortiAuthenticator, first check if the correct IP and port is configured for 'Public IP/FQDN for FortiToken Mobile' under System -> Administration -> System Access.
   
   This field is passed to the mobile application and is used as a destination to FortiAuthenticator, meaning there should be a network path between the mobile app and the FortiAuthenticator to send back the response.

7. If the Mobile device is connected to the local network, the FortiAuthenticator should be reachable from the mobile device.
8. If the Mobile device is not connected to the local network, a VIP policy is required on the Edge Router (e.g. FortiGate) to forward the traffic from the WAN port (Public IP) to the FortiAuthenticator:   

• If FQDN is used, the mobile device should be able to resolve it through the external DNS (if remote) or internal DNS if on the local network.
• If no port is specified in 'Public IP/FQDN for FortiToken Mobile', FortiAuthenticator will use port 443 by default.
• Ensure the port specified in 'Public IP/FQDN for FortiToken Mobile', is open outbound on the local network the mobile device is on.

8. If the push notification is being sent to the mobile device but only available for 5-seconds, change the default timeout values on the FortiGate's global authentication and RADIUS server authentication:

To configure the RADIUS server timeout, run the following:

config user radius

edit <RADIUS server name>

set timeout <value, e.g. 30>

end

To configure the global authentication timeout, run the following:

config system global

set remoteauthtimeout <value, e.g. 60>

end

Related documents:

Technical Tip: FortiToken Push on FortiAuthenticator: operation flow and details.

Technical Tip: FortiAuthenticator Push Notification Work Flow.

Configuring FortiToken Mobile push on FortiGate - FortiAuthenticator 6.4.0 RADIUS interoperability g....