cbabfat
New Contributor III

Push Authentication

What firewall ports are used for push authentication?

We use Cisco AnyConnect and use the FortiAuth for 2 factor.  If the users phone is on the corporate network, then it will communicate with the FortiAuthenticator for 2 factor with push messages.  If the phone is connected to the public network, then it fails.  Where are the server name settings specified that the app is going to use to communicate back to the Authenticator?

 

SOMEBODY has to have the detailed process.  My support ticket has been open for over a week with no response.

 

Chris

1 Solution
cbabfat
New Contributor III

This is what I got:

 

Hi,  Sorry for the delay. FortiToken Mobile (FTM) push authentication does not work when the port "Public IP/FQDN for FortiToken Mobile" in System > Administration > System Access is changed to anything besides 443 (e.g. 10443).  If FAC is behind an upstream device kindly make sure to forward the ports 2195, 5223 and 2196 to FAC IP. 

View solution in original post

11 REPLIES 11
emnoc
Esteemed Contributor III

I believe it's  via HTTPS,you could easily diagnose the by doing  capture from the FA to the phone while on-network. 

 

PCNSE 

NSE 

StrongSwan  

tanr
Valued Contributor II

I think they use TCP 2196 (Apple/Android push services) per https://forum.fortinet.com/tm.aspx?m=146690.

make
New Contributor

Hi Chris,

 

i have the same problem. Have you received any answers from Fortinet Supprort or have you found a solution?

Kind Regards, Maximilian

cbabfat
New Contributor III

This is what I got:

 

Hi,  Sorry for the delay. FortiToken Mobile (FTM) push authentication does not work when the port "Public IP/FQDN for FortiToken Mobile" in System > Administration > System Access is changed to anything besides 443 (e.g. 10443).  If FAC is behind an upstream device kindly make sure to forward the ports 2195, 5223 and 2196 to FAC IP. 
guillaume66

hi

anybody managed to use the push feature ?

 

i managed using FAC 4.3.0 build 222 sending ios push to phone

on the phone click on Approve reply with a "request approved" message

but i am not sure how FAC will notify my radius client that auth has been approved

 

my setup (LAB)

- VM FAC4.3.0 build 222 (i tried to upgrade to 5.0.0 with actual config being migrated, but push was not working anymore, to be tested once again later)

- ios fortitoken mobile 4.1.1 (up to date)

- radius client = NTRadPing, with FTM push authentication enabled on this radius client.

 

i did some wireshark on ntradping pc :

Here are the steps :

- access-request from ntradping to FAC (OK)

- access-challenge from FAC to ntradping (OK)

- i receive the push on phone (set from FAC to apple servers on port tcp/2195)

- i accept on phone (sending the reply to FAC via the configured IP and port in FAC (menu described by cbabfat)

- nothing more ... no access-accept received from FAC to NTRadping (even using wireshark ...)

 

If i do the same using ntradping but sending back the token code via mtradping, i can see access-accept from FAC to NTRadping : auth is working fine (be aware of a small trick in ntradping to send the tokencode back : https://support.secureauth.com/hc/en-us/articles/115000594347-How-To-Test-RADIUS-Using-NTRadPing )

 

anyone using this FAC PUSH feature ?

anyone using this with FGT, or other devices not fortinet like ssl gateway 3rdparty ?

 

thanks,

regards,

Guillaume

cbabfat
New Contributor III

We decided not to open the Authenticator up to Internet traffic.  That was one of the points of the points and best practices that has been in the Fortinet documentation since the beginning.

While testing, if the phone with the token on it was on our internal network ((since kicked off)) the push part worked with Cisco AnyConnect/ASA.  Problem (for users) is that nothing happened on the AnyConnect client/Windows. Once you authenticated with the push, you just click OK with a blank token code field during the VPN login process, nothing in the client is set to be able to register that the push has occurred.

guillaume66

Thanks for this feedback which helped

i Managed to do access-challenge with ntradping the following way :

- ask for auth via ntradping (using login/pwd)

- approve on the phone (via push)

- when on the phone the message : "request approved" is shown then you can send a repsonse with ntradping with the following : state=XX (put the number you recieved in access-challenge) + password = your user password (not token code)

then ntradping is recieving access-accept

 

this is quite similar of what you said "Once you authenticated with the push, you just click OK with a blank token code field during the VPN login process" but password blank is not working in my case (using remote ldap users)

 

I aggree on "nothing in the client is set to be able to register that the push has occurred", this was the sense of my question : i cannot understand how the radius client could be informed once user has approved via the out of band channel (phone push), so i assume this is not possible with third party radius client ...

 

Thanks for your valuable feedback !

emnoc
Esteemed Contributor III

FWIW

 

I've been successful using DUO and w/SSLVPN, I just posted a about this a few months back. The push works great and 99.99% reliable. The cool thing with the MFA solution you can customize push notification details so you don't blindly  "ack" a push without  knowing what/who/details.

 

http://socpuppet.blogspot.com/2017/04/securing-fortigate-sslvpn-with-mfa-by.html

 

I believe it the long run it's more diverse than forti-authenticator and teh combination is great for multi-applications.

 

just my 2cts

 

Ken

PCNSE 

NSE 

StrongSwan  

cbabfat
New Contributor III

LOL!!!  No, if you want a great solution, DUO is the BEST.  Hands down.

 

We have multiple DUO accounts for various business uses, but we didn't want the monthly spend on a 500+ users.  FortiAuthenticator made more sense on spending upfront and not every month.

 

Chris