Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Toshi_Esumi
SuperUser
SuperUser

FortiToken Mobile for multiple FortiGate servers

Does anyone know if one FortiToken Mobile app with two or more FortiGates for SSL VPN is possible? I mean WITHOUT FortiAuthenticator.
We have mulitiple SSL VPN entry points in our nation-wide network. But now we want to use FortiToken Mobile. The gotcha is we don't have FortiAuthenticator for remote authentication. So we need to buy multiple tokens for all FortiGates. But I'm not sure if this even works with one smartphone per user.

 

Toshi

2 Solutions
Toshi_Esumi
SuperUser
SuperUser

I just wanted to update what kind of answers I got through Reddit when I posted the same question there. I hope this is not violating the policy of this forum.

 

Direct answer to my question was "Yes, one app can handle multiple tokens from multiple FortiGates". One guy even shared me his app's screenshot for two FGTs. And futher, another guy recommended FortiToken Cloud, which seems to accommodate multiple Fortigates for the same token, which might be ideal for us. I need to learn how each option would work including with FortiAuthenticator.

View solution in original post

Debbie_FTNT

I'm not sure if we have any guide for how the whole sequence works, at least on the docs page.

We do have a configuration example with two-factor authentication (SMS token, but the process for FTK is much the same): https://docs.fortinet.com/document/fortiauthenticator/6.4.0/cookbook/451567/sms-two-factor-authentic...
However, this is with a local user created on FortiAuthenticator, not a user that is on LDAP.

Here is a section on remote authentication servers in FortiAuthenticator (tie-in with remote LDAP/RADIUS):
https://docs.fortinet.com/document/fortiauthenticator/6.0.0/administration-guide/641286/remote-authe...
The study guide for NSE 6 FortiAuthenticator does cover what I discussed above as well, but doesn't provide a simple step-by-step example of what a setup would look like. That is part of the labs in instructor-led FortiAuthenticator training, I believe.

 

If your questions are about RADIUS protocol in general, the study guide contains a small section on how RADIUS works, but it doesn't go into great depth and presumes at least a bit of familiarity with the protocol.

As for a diagram - a crude one, but I hope it helps you visualize what's going on:

Debbie_FTNT_0-1643993611197.png

communication between FAC and FGT is RADIUS, and between FAC and remote auth server could be RADIUS, LDAP, etc.
For those remote servers, they would see FAC as client, not FortiGate.
For FortiGate, it would only have the one RADIUS server to speak to.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

11 REPLIES 11
Toshi_Esumi
SuperUser
SuperUser

I just wanted to update what kind of answers I got through Reddit when I posted the same question there. I hope this is not violating the policy of this forum.

 

Direct answer to my question was "Yes, one app can handle multiple tokens from multiple FortiGates". One guy even shared me his app's screenshot for two FGTs. And futher, another guy recommended FortiToken Cloud, which seems to accommodate multiple Fortigates for the same token, which might be ideal for us. I need to learn how each option would work including with FortiAuthenticator.

Debbie_FTNT

If you have questions about FortiAuthenticator, you are welcome to let me know, I deal a lot with that product :)

Not so much with FortiToken Cloud, but I can provide a little info on that as well.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Toshi_Esumi
SuperUser
SuperUser

I heard a Win AD could be put behind FAC. But we don't want to do that and use FAC only for FortiToken 2nd factor part. It's possible, right? I'm guessing it has more features and of course multi tenancy would be one of them.

Debbie_FTNT

If you want to use FAC for 2FA part, and user credentials are in AD, you would essentially use FAC as proxy to AD:

-> authenticate users to FAC via RADIUS

-> FAC forwards user credentials to AD for checking

-> if AD returns an 'OK', FAC asks for the token or sends push notification (FAC can also be set to ask for token even if credentials are invalid, to avoid giving away information)

-> once this is successful, FAC sends 'OK' to FGT
-> user is authenticated
There are options to authenticate via SAML instead of RADIUS, to chain authentication to another proxy, integrate FAC with FSSO (it can act as Collector Agent) and a number of other features

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Toshi_Esumi

So you're saying it's not possible to keep current remote authentication method with like other 3rd party RADIUS (could be freeRADIUS) or TACACS+, which we use for a subset of SSL VPN users, which FortiToken Mobile use FAC, and all FGTs asks the same to FAC. Correct? We need this ONLY for SSL VPN 2nd Factor auth. We won't use for any SSOs.

Debbie_FTNT

Hey Toshi,

not quite - you can keep the current authenitcation method, you just have to put FortiAuthenticator between the current auth server and FortiGate.

For example, if you currently authenticate to a FreeRadius:
- configure FortiGate to point to FortiAuthenticator instead

- configure FortiAuthenticator to send the credentials to FreeRadius (set up remote auth server and reference it in a RADIUS policy)

-> add the remote users on FAC (similar to the 'user local/type ldap' setup on FortiGate) and link them with the appropriate token

 

All FortiGates can query the FAC, the user credentials will be checked against the remote server configured in FAC (RADIUS/LDAP/TACACS), and then in addition FAC itself will request the token.

Does that clarify how the setup would operate?

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Toshi_Esumi

Now I understand the topology of this operation including FAC. I was thinking FGT can ask user's credential to the current remote auth server then as the second step ask token to FAC, like hub-and-spokes. Instead, the FGT can ask only to FAC for both factors in one packet(?) then in turn the FAC acts as NAS to get the user's credential part authenticated by the current remote auth server, and returns to the FGT with the result of both factors.
So from those current RADIUS/LDAP/TACACS server's view, nothing is different between getting those queries from FGT and getting from FAC other than NAS IP and type.

 

Ok, it's clear to me now. Thanks Debbie.

 

Toshi

Debbie_FTNT

Hey Toshi,

it's down to how RADIUS handles 2FA that necessitates such a setup:
- FortiGate sends an access request with user credentials to FAC

- FAC checks the credentials
-> if there is no token, it sends back an access accept
-> if there is a token, it sends back a challenge instead
-> FortiGate prompts the user for the challenge (token code)

-> FortiGate sends another access request with username + token code (in password field)

-> FAC checks the token code, then sends access accept

Basically any RADIUS solution with 2FA (if it's not using push notification) works like this (request, challenge, request, accept).

So this is not done in one packet, but two; it's just how RADIUS is designed :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Toshi_Esumi

It's quite complicated. Is there any KBs describing this operational sequence with a diagram? Maybe in one of NSEx's study guides?

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors