What firewall ports are used for push authentication?
We use Cisco AnyConnect and use the FortiAuth for 2 factor. If the users phone is on the corporate network, then it will communicate with the FortiAuthenticator for 2 factor with push messages. If the phone is connected to the public network, then it fails. Where are the server name settings specified that the app is going to use to communicate back to the Authenticator?
SOMEBODY has to have the detailed process. My support ticket has been open for over a week with no response.
Chris
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
This is what I got:
Hi, Sorry for the delay. FortiToken Mobile (FTM) push authentication does not work when the port "Public IP/FQDN for FortiToken Mobile" in System > Administration > System Access is changed to anything besides 443 (e.g. 10443). If FAC is behind an upstream device kindly make sure to forward the ports 2195, 5223 and 2196 to FAC IP.
I believe it's via HTTPS,you could easily diagnose the by doing capture from the FA to the phone while on-network.
PCNSE
NSE
StrongSwan
I think they use TCP 2196 (Apple/Android push services) per https://forum.fortinet.com/tm.aspx?m=146690.
Hi Chris,
i have the same problem. Have you received any answers from Fortinet Supprort or have you found a solution?
Kind Regards, Maximilian
This is what I got:
Hi, Sorry for the delay. FortiToken Mobile (FTM) push authentication does not work when the port "Public IP/FQDN for FortiToken Mobile" in System > Administration > System Access is changed to anything besides 443 (e.g. 10443). If FAC is behind an upstream device kindly make sure to forward the ports 2195, 5223 and 2196 to FAC IP.
hi
anybody managed to use the push feature ?
i managed using FAC 4.3.0 build 222 sending ios push to phone
on the phone click on Approve reply with a "request approved" message
but i am not sure how FAC will notify my radius client that auth has been approved
my setup (LAB)
- VM FAC4.3.0 build 222 (i tried to upgrade to 5.0.0 with actual config being migrated, but push was not working anymore, to be tested once again later)
- ios fortitoken mobile 4.1.1 (up to date)
- radius client = NTRadPing, with FTM push authentication enabled on this radius client.
i did some wireshark on ntradping pc :
Here are the steps :
- access-request from ntradping to FAC (OK)
- access-challenge from FAC to ntradping (OK)
- i receive the push on phone (set from FAC to apple servers on port tcp/2195)
- i accept on phone (sending the reply to FAC via the configured IP and port in FAC (menu described by cbabfat)
- nothing more ... no access-accept received from FAC to NTRadping (even using wireshark ...)
If i do the same using ntradping but sending back the token code via mtradping, i can see access-accept from FAC to NTRadping : auth is working fine (be aware of a small trick in ntradping to send the tokencode back : https://support.secureauth.com/hc/en-us/articles/115000594347-How-To-Test-RADIUS-Using-NTRadPing )
anyone using this FAC PUSH feature ?
anyone using this with FGT, or other devices not fortinet like ssl gateway 3rdparty ?
thanks,
regards,
Guillaume
We decided not to open the Authenticator up to Internet traffic. That was one of the points of the points and best practices that has been in the Fortinet documentation since the beginning.
While testing, if the phone with the token on it was on our internal network ((since kicked off)) the push part worked with Cisco AnyConnect/ASA. Problem (for users) is that nothing happened on the AnyConnect client/Windows. Once you authenticated with the push, you just click OK with a blank token code field during the VPN login process, nothing in the client is set to be able to register that the push has occurred.
Thanks for this feedback which helped
i Managed to do access-challenge with ntradping the following way :
- ask for auth via ntradping (using login/pwd)
- approve on the phone (via push)
- when on the phone the message : "request approved" is shown then you can send a repsonse with ntradping with the following : state=XX (put the number you recieved in access-challenge) + password = your user password (not token code)
then ntradping is recieving access-accept
this is quite similar of what you said "Once you authenticated with the push, you just click OK with a blank token code field during the VPN login process" but password blank is not working in my case (using remote ldap users)
I aggree on "nothing in the client is set to be able to register that the push has occurred", this was the sense of my question : i cannot understand how the radius client could be informed once user has approved via the out of band channel (phone push), so i assume this is not possible with third party radius client ...
Thanks for your valuable feedback !
FWIW
I've been successful using DUO and w/SSLVPN, I just posted a about this a few months back. The push works great and 99.99% reliable. The cool thing with the MFA solution you can customize push notification details so you don't blindly "ack" a push without knowing what/who/details.
http://socpuppet.blogspot.com/2017/04/securing-fortigate-sslvpn-with-mfa-by.html
I believe it the long run it's more diverse than forti-authenticator and teh combination is great for multi-applications.
just my 2cts
Ken
PCNSE
NSE
StrongSwan
LOL!!! No, if you want a great solution, DUO is the BEST. Hands down.
We have multiple DUO accounts for various business uses, but we didn't want the monthly spend on a 500+ users. FortiAuthenticator made more sense on spending upfront and not every month.
Chris
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1673 | |
1083 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.