Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortiNet_Newb
Contributor

FortiToken Mobile Push with IPsec VPN

Has anyone successfully setup FortiToken Mobile Push authentication with an IPsec VPN.  It works fine with a SSL VPN connection, but when using an IPsec VPN connection, you receive the push request, but Approving/Denying the request from the FortiToken app does nothing.  You are still able to login by providing the token manually (if you enter it BEFORE choosing Accept/Deny), but this behavior is confusing and a pain for our users.  Is it simply not supported by FortiNet yet?  It worked without issue with our older Cisco/DUO setup.  We are on the latest FortiClient 7.06 (doesn't work with previous versions either) and connecting to a FortiGate running FortiOS 7.06.  I see in the release notes for the newest FortiOS vs 7.2 that having ftm-push enabled does not allow IPsec VPNs to connect at all, so I don't want to update to 7.2 at this point.

 

Thanks!

5 REPLIES 5
aahmadzada
Staff
Staff

Hello,
With the current design of the FortiOS and Forticlient app, the fortitoken mobile puh is not supported by Dialup IPSec.

 

For IPsec two-factor auth, we support mobile token, RSA token, Fortinet hardtoken, for these we need to enter the pin manually.


You can reach out to your local Fortinet Partner and submit an NFR(New Feature Request).

 

Ahmad

Ahmad
FortiNet_Newb

That’s unfortunate to hear it isn’t a feature already.  It makes no sense to me why the FortiGate would send ftm-push requests to dial-up IPsec clients if it is not a feature.  Is there anyway to at least configure ftm-push on the FortiGate to only send the push request to SSL VPN client requests, rather than the all or nothing approach?  We would still like to use the push feature for those connecting via SSL but disable it for the IPsec attempts, if possible (until it’s a feature that is added/supported).

Markus_M

Hello,

 

Do you have a RADIUS server like the FortiAuthenticator?

You could then create different RADIUS policies, one for SSLVPN users, matching a RADIUS Access request with value "vpn-ssl" and the attribute (forgot the exact name). The IPSec one will be different and not match. Disable push for the IPSec one.

To be sure, check the Fortiauthenticator debug logs at https://fac-ip/debug/radius (contains the access request and the name I am missing there).

 

Best regards,

 

Markus

FortiNet_Newb

Thanks for the work around.  Unfortunately we are not using RADIUS yet.  So, it looks like I will need to decide between switching everyone to SSL VPNs (performance has been notably worse then IPsec in our environment) so we can continue to use mobile push or disable mobile push and force them to manually key in their token every request

blanosko
New Contributor II

Hi, 

 

This would be maybe late for you but I just discovered this KB:

 

https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-FortiToken-Push-on-FortiAuthentic...

 

In the KB there is specific sentence:

 

5) Optionally: The user can,  instead of accepting the push notification, also simply enter the token code. FortiAuthenticator should receive this as another Access-Request, and accept the token code even if push notification has been initiated. This option might not be available if a user actively triggered push notification by sending an empty code or typing in 'push'.

 

I just tested it and it works. You can enable push notification in RADIUS policy (If you are using FAC as RADIUS server) and when trying to connect through IPSec VPN, you just type "push" instead of token and then you recieve push notification to mobile app and can aprove login that way. 

 

This is maybe not relevant for you but others will maybe find this useful, because everywhere on the internet you will find info that it is not possible to have push notif. working with IPSec VPN on FortiClient. Only weird thing is that I will not get the push notif. automaticaly when I enter credentials, I have to type push into token.

 

Tested on FGT 7.0.12, FAC 6.5.3, FCT 6.4.9

Top Kudoed Authors