Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
leon471
New Contributor

FortiToken Push Notification Query

Using FortiAuthenticator and FortiToken Mobile, is it possible to build a RADIUS authentication solution for 3rd party devices where the app is only used to "Accept" or "Deny" sessions, and the FortiToken OTP is not used?

For example:

User SSH's to a device (say a Cisco switch).

User enters username/password credentials only.

FortiToken Mobile prompts the user to "Accept" or "Deny" the session.

Session is allowed or denied.

VidMate Mobdro
2 REPLIES 2
Markus_M
Staff
Staff

Hello Leon,

 

the Push works in a specific way. If that RADIUS client follows that way, then yes, that is possible and actually quite common.

Here is the described flow:

1) Client authenticates - RADIUS request is sent

2) FortiAuthenticator receives the request, matches this to a policy, works on it. The policy contains a push setting, enabled of course.

3) The FAC returns a challenge with this wording "+Enter" blabla.

4) The client - in case of FortiGate: will see the '+' - This will be interpreted by FortiGate as "push capable". The FortiGate will now send a response, Access Request, with an empty password value (visible if you decrypted the RADIUS traffic with the shared secret).

5) the FortiAuthenticator will interpret the empty password field as "push capability accepted" and will initiate a push.

6) The push arrives at the phone. Approve/Deny sends that command to the address that is stated in the "Public FQDN IP for FTM push in FAC GUI > Administration > System Access.

 

In case of non-FGT RADIUS clients, it is likely they do not respond to FAC as per 4). The push won't be sent.

 

The 2nd Access request will contain the password attribute with the value of the OTP.

One addition here though: IF the value of the OTP is "push", then FAC will also send a push notification and expect 6).

 

Hope this helps.

 

Best regards,

 

Markus

fcb
Contributor

In the policy that you are using on FAC for the RADIUS. 

FAC -> Authentication -> RADIUS Service ->Policies

you will want to select "Token-only authentication" under "Authentication Factors" for the policy that is governing these connections and I typically use "Framed IP Address" for the RADIUS attribute but if you're hitting FAC with a Cisco device, there will be lots of options.

 

One other thing to note, depending on your version of FAC, there are debug logs easy available for about every service on the FAC but the one you would want is the "Push Notifications" and I guess the RADIUS but these can be easy accessed via: https://FQDNofFAC/debug - once on that page you can select one of many debug logs available to you.

 

Good luck and let us know if you need anything else.

Labels
Top Kudoed Authors