I consider using Fortitoken TwoFactorAuthentication for both administrative and SSL-VPN-authentication.
So far, so god. But the problem is that I as a sys-admin need both to have a administrative account and a VPN-account on the unit. There are also 5 branch offices with FortiGates where I need administrative account to.
And here is the problem; It seems like there are a one2one2one-relationship between accounts, FortiToken and mobile phone. I can only have one FortiToken on my phone and one Fortitoken cannot be assigned to both a VPN-account and a administrative account; neither on the same device or across devices.
Any good solutions or workaround here?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I recommend you take a look at new FortiToken Cloud service (FTC) available if you are running FOS 6.2 or later. It is a perfect fit for your scenario. You can try it anyway for free. (https://ftc.fortinet.com) With the current version of FTC, you can use the same token issued by FTC for all your FGT admin instances across multiple FGT devices and VPN user instances across multiple FGT devices/VDOMs as long as the username in the FGT is the same.
In an upcoming release we will allow the FTC customer to designate when the same username should be treated as a different FTC user if in multiple FGT/VDOMs. But, as I said, the current version is tailor made for what you need.
Hello,
your observations are almost correct.1. mobile token is bond to license pack, and as any license this pack is via activation process bond to serial number of unit (or cluster) from which was license activated. Therefore you are not allowed to use same mobile token on another unit (unless this other unit is cluster member with original requestor and license holder). Regardless you can copy config parts it will not work as any token management (user assignment etc) is made through FortiGuard/FortiCare global network, which serves as universal meeting point between FortiGate units and mobile devices.
2. with FortiToken Mobile you are not able to assign one token to two entities like local user and admin account. But you can do so with FortiToken 200 or 200-CD model. But this use of 200 model line is limited just to one admin and one user combination, same token cannot be assigned to multiple users at a same time.
3. Solution for same token on multiple FortiGate units is in use of FortiToken 200 or better 200-CD model.
Model 200 is activated through FortiGuard and once activated the token is locked on FortiGuard by one-time activation lock. No one can activate the same token on another unit, not even from the same unit, unless the lock is administratively released by Fortinet TAC engineer. So you can activate token on FortiGate-A and then via ticket ask for lock release (we need to know token SN and last activation unit SN (if possible)). After lock is released you will be able to make one another activation on FortiGate-B unit. Repeat release-activate process as many times as needed.
Model 200-CD has all needed data distributed with the token on media like CD. Therefore the token seed is not stored in any publically accessible database, no online activation and access to FortiGuard is needed, therefore no protective lock applied. You need just the CD and then you can activate the token via CD on any number of FortiGate units.
Hope it's a bit more clear now.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Hi and thanks for respond. My experience is based on Fortitoken Mobike service on a Fortigate, not the Fortitoken appliance.
As long as I dont can use FortiToken Mobile to secure both administrative access to my whole FGT-enviroment (6 locations) and user/VPN access, the product make no sense for me.
I find this limitation unlocigal and hope this would be solved during development of the product.
Yngve
I'm afraid that this limitation is intended design. It makes environment stronger as single token compromise do not affect whole network.
Multi-host use of token does make sense with hardware tokens, as you are not going to carry whole keyring full of tokens. But mobile token is just app in your telephone and it can contain multiple software tokens, so you still carry one device.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Hi
It could be useful for us too. We can't buy a fortiautenticator (it's not a smart and economical solution) for a couple or till 4-5 fgt units. We would like that 'fortitoken mobile' could be assign to more than one fortigate.
FCNSA - FCNSP Certified FortiGate 20D - 30B - 40C - 50B - 60B - 60C - 80C - 100D - 110C FortiAnalyzer 100C FortiAP 220B HA
you can definitely get in touch with our sales and open NFR (new feature request), but as I said, mobile token (single token) is part of bundle, that bundle has license SN (serial number), and that bundle SN is (as almost any other license) bond to SN of the unit where it is used. Only possibility to have a single mobile token license on multiple unit is to cluster the FGT units, then all the members will share the license.
As you can carry multiple mobile tokens inside single fortitoken mobile app (I have some 6 tokens on IOS8), then I do not see any limitation for the tokens and units. Simply has different token on each FGT unit and all of them in single mobile phone app.
As you would have different tokens then it makes admin access stronger and more secure as if single token get compromised you are not loosing access to all the units, just one is endangered.
If you want singel token an multiple devices and do not want to centralize the access (FortiAuthenticator) then I would go by FortiToken 200 or even 200-CD hardware model. Single token activated on multiple FortiGate units.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Workaround is connect via SSL-VPN to main unit via token and have a IPsec network to other units.
Otherwise FortiAuth is the way to go. Compared to other solutions it's a really cost effective solution.
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Is there a limit of Tokens which can be integratetd in the mobile App ?
I have a customer who asks if he can have more then 15 different Tokens inside his mobile App....
Regards
Patrick
It's an old topic sorry to unearth it ;)
Since 2014 until know no possibility to have one mobile token to multiple fortigate firewall?
I have to manage more than twenty firewalls around the world, it's not really easy to find which one is the one...
Thanks Paul
I recommend you take a look at new FortiToken Cloud service (FTC) available if you are running FOS 6.2 or later. It is a perfect fit for your scenario. You can try it anyway for free. (https://ftc.fortinet.com) With the current version of FTC, you can use the same token issued by FTC for all your FGT admin instances across multiple FGT devices and VPN user instances across multiple FGT devices/VDOMs as long as the username in the FGT is the same.
In an upcoming release we will allow the FTC customer to designate when the same username should be treated as a different FTC user if in multiple FGT/VDOMs. But, as I said, the current version is tailor made for what you need.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1502 | |
1011 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.