Fortinet Community

fcb · ‎09-21-2022

I've had 2FA working again Authenticator for some time but recently was tasked with turning on the push notifications but my FortiClient does not have a "Push" button and I really never knew it was supposed to. I thought when you made the authentication request (logged in when prompted by the VPN config) that it would go ahead and ask you to input the token AND still accept the push, but from the 6.4.8 Release Notes it would appear that I should have the option to select "push" OR to enter my code:

To connect VPN with FortiToken Mobile using push notifications:
1. On the Remote Access tab, select the VPN connection from the dropdown list.
2. Enter your username and password and click the Connect button. The Click on 'FTM Push' or enter token code box displays.
3. Click FTM Push. Your device with FortiToken Mobile installed receives a notification.
4. On your device with FortiToken Mobile installed, tap the notification and follow the instructions to allow the authentication request and complete network authentication without typing the token code. You can also deny the authentication request, or do nothing and let the notification request expire.

I have my Authenticator configured for PUSH and have seen a request hit my FortiToken Mobile but no matter if I hit "approve" or "deny", the VPN times out. Never though have I seen the option to: The Click on 'FTM Push button so is there something wrong with my deployment package in EMS perhaps then??

aahmadzada · ‎09-26-2022

Hello,
With the current design of the FortiOS and Forticlient app, the fortitoken mobile puh is not supported by Dialup IPSec.

For IPsec two-factor auth, we support mobile token, RSA token, and Fortinet hardtoken, for these we need to enter the pin manually.

You can reach out to your local Fortinet Partner and submit an NFR(New Feature Request).

Ahmad

View solution in original post

Anthony_E · ‎09-25-2022

Hello fcb,

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Regards,

Anthony-Fortinet Community Team.

aahmadzada · ‎09-26-2022

Hello,
With the current design of the FortiOS and Forticlient app, the fortitoken mobile puh is not supported by Dialup IPSec.

For IPsec two-factor auth, we support mobile token, RSA token, and Fortinet hardtoken, for these we need to enter the pin manually.

You can reach out to your local Fortinet Partner and submit an NFR(New Feature Request).

Ahmad

blanosko · ‎08-08-2023

Hi,

Maybe you could elaborate on this this KB:

https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-FortiToken-Push-on-FortiAuthentic...

In the KB there is specific sentence:

5) Optionally: The user can, instead of accepting the push notification, also simply enter the token code. FortiAuthenticator should receive this as another Access-Request, and accept the token code even if push notification has been initiated. This option might not be available if a user actively triggered push notification by sending an empty code or typing in 'push'.

I just tested it and it works. You can enable push notification in RADIUS policy in FAC and when trying to connect through IPSec VPN (FortiClient), you just type "push" instead of actual token in token field and then you recieve push notification on mobile app and can aprove login that way. And boom you are connected.

Only weird thing is that I will not get the push notification automaticaly when I enter credentials like with SSL VPN.

So the main question is, when push notification with IPSec VPN from FCT works, why cant we get this functionality with automatic push send as with SSL VPN? Or is there some release note on FAC/FCT where I just missed this feature?

Tested on FGT 7.0.12, FAC 6.5.3, FCT 6.4.9

Fortinet Community

FortiClient does not have "Push" option when using IPSEC VPN