Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Toshi_Esumi
SuperUser
SuperUser

FortiToken Mobile for multiple FortiGate servers

Does anyone know if one FortiToken Mobile app with two or more FortiGates for SSL VPN is possible? I mean WITHOUT FortiAuthenticator.
We have mulitiple SSL VPN entry points in our nation-wide network. But now we want to use FortiToken Mobile. The gotcha is we don't have FortiAuthenticator for remote authentication. So we need to buy multiple tokens for all FortiGates. But I'm not sure if this even works with one smartphone per user.

 

Toshi

2 Solutions
Toshi_Esumi
SuperUser
SuperUser

I just wanted to update what kind of answers I got through Reddit when I posted the same question there. I hope this is not violating the policy of this forum.

 

Direct answer to my question was "Yes, one app can handle multiple tokens from multiple FortiGates". One guy even shared me his app's screenshot for two FGTs. And futher, another guy recommended FortiToken Cloud, which seems to accommodate multiple Fortigates for the same token, which might be ideal for us. I need to learn how each option would work including with FortiAuthenticator.

View solution in original post

Debbie_FTNT

I'm not sure if we have any guide for how the whole sequence works, at least on the docs page.

We do have a configuration example with two-factor authentication (SMS token, but the process for FTK is much the same): https://docs.fortinet.com/document/fortiauthenticator/6.4.0/cookbook/451567/sms-two-factor-authentic...
However, this is with a local user created on FortiAuthenticator, not a user that is on LDAP.

Here is a section on remote authentication servers in FortiAuthenticator (tie-in with remote LDAP/RADIUS):
https://docs.fortinet.com/document/fortiauthenticator/6.0.0/administration-guide/641286/remote-authe...
The study guide for NSE 6 FortiAuthenticator does cover what I discussed above as well, but doesn't provide a simple step-by-step example of what a setup would look like. That is part of the labs in instructor-led FortiAuthenticator training, I believe.

 

If your questions are about RADIUS protocol in general, the study guide contains a small section on how RADIUS works, but it doesn't go into great depth and presumes at least a bit of familiarity with the protocol.

As for a diagram - a crude one, but I hope it helps you visualize what's going on:

Debbie_FTNT_0-1643993611197.png

communication between FAC and FGT is RADIUS, and between FAC and remote auth server could be RADIUS, LDAP, etc.
For those remote servers, they would see FAC as client, not FortiGate.
For FortiGate, it would only have the one RADIUS server to speak to.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

11 REPLIES 11
Debbie_FTNT

I'm not sure if we have any guide for how the whole sequence works, at least on the docs page.

We do have a configuration example with two-factor authentication (SMS token, but the process for FTK is much the same): https://docs.fortinet.com/document/fortiauthenticator/6.4.0/cookbook/451567/sms-two-factor-authentic...
However, this is with a local user created on FortiAuthenticator, not a user that is on LDAP.

Here is a section on remote authentication servers in FortiAuthenticator (tie-in with remote LDAP/RADIUS):
https://docs.fortinet.com/document/fortiauthenticator/6.0.0/administration-guide/641286/remote-authe...
The study guide for NSE 6 FortiAuthenticator does cover what I discussed above as well, but doesn't provide a simple step-by-step example of what a setup would look like. That is part of the labs in instructor-led FortiAuthenticator training, I believe.

 

If your questions are about RADIUS protocol in general, the study guide contains a small section on how RADIUS works, but it doesn't go into great depth and presumes at least a bit of familiarity with the protocol.

As for a diagram - a crude one, but I hope it helps you visualize what's going on:

Debbie_FTNT_0-1643993611197.png

communication between FAC and FGT is RADIUS, and between FAC and remote auth server could be RADIUS, LDAP, etc.
For those remote servers, they would see FAC as client, not FortiGate.
For FortiGate, it would only have the one RADIUS server to speak to.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Toshi_Esumi

This diagram is exactly what I was looking for. Thanks again.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors