Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Putmano
New Contributor

Push Notification Feature on FortiAuthenticator

We have FortiAuthenticator running version 6.1. We have radius with FortiToken Mobile as 2FA. We have enabled the Push Notification. However it seems not work as our mobile device never get the notification from FortiToken mobile. Any suggection settings on the FortiAuthenticator.

 

Thanks in advance.

8 REPLIES 8
tanr
Valued Contributor II

Have you set the public IP and port that the push notification would need to come back to?  If your FAC doesn't have a its own public IP this is probably your FortiGate IP, or a mapped VIP. 

 

See https://kb.fortinet.com/kb/documentLink.do?externalID=FD45559 and https://forum.fortinet.com/tm.aspx?m=176927 for details.  I played with this a while back, but can't remember if there were other issues.

 

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/927108/fortitoken-mobile-push describes doing this for FortiToken Mobile push on the FortiGate. 

Putmano
New Contributor

Dear Tanr,

 

I have configured the NAT for reply Push Notification from FortiToken Mobile. However when we tried by access the VPN via the 2 factor authentication. we don't get even the notification on the mobile. I think the fortitoken hasn't sent out the notification to fortitoken mobile.

tanr
Valued Contributor II

Your FortiAuthenticator needs to actually be able to call out to DNS and to the Apple/Android notification servers. 

Have you verified that it can do so?

cbabfat
New Contributor III

Remember that PUSH notifications are not a good way of performing two factor.  You should require them to type in the token code.  PUSH notifications compromise the human over and over again.

 

xsilver_FTNT

Hi cbabfat,

could you explain your opinion a little bit more ?

 

So far I do not see much of an issue here. - your device still needs to have requested token - your FortiToken Mobile app can be protected by PIN or biometrics (TouchID, FaceID or so) - that PIN protection can even be enforced by FortiAuthenticator - you still needs to unlock your device to run app

- PUSH notification is supposed to arrive to a single device, identified by two device identifiers which were colelcted during token activation on the device

- even FortiAuthenticator/FortiGate communication towards notification centers of Apple/Google is encrypted and parties are verified by certificates

- communication from client to FortiAuthenticator/FortiGate (responses from FortiToken Mobile app) are also encrypted

- therefore from my point of view there is reasonable amount of sec processes applied and I do see it even more secure then anything else, or would you like to have token delivered in plain SMS ?

I don't, regardless it is still better then having no second factor auth at all.

 

.. so where do you see attack vector ?

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet stuff - TAC Staff Engineer

cbabfat
New Contributor III

Because I said they compromise the HUMAN, not the technology.

 

I have experienced it with phonefactor years ago, and it is the same with PUSH notifications now.  Blow up a user's cell phone with PUSH notifications and they will hit approve the PUSH accidentally or intentionally to get rid of the notification.

 

With phonefactor, we had a user that kept getting phone calls to authenticate.  ((After logging into two factor systems like OWA, VPN, RDP, you received a phone call and pressed pound to authenticate.))  The user pressed pound to get the phone calls to stop.  Thousands of emails sent later, the account was shutdown.

 

PUSH notifications are bad.  It doesn't mean people, companies, etc. will not accept the risk and use them for user convenience.  The fact is they should not be used when the simple workaround is opening the fortitoken app and typing in your token code into whatever system.

 

When allowed, it is something we attempt in pentests ...and it works.

 

Chris

xsilver_FTNT

OK, got it. We will see. Some people tend to abuse anything they think can make them rich fast.

However, pushing a notification to cell through service on Fortinet side, via pre-authorized contract and path towards Apple/Google notification centers is a bit harder to orchestrate then simple phone call with DTMF.

Not sure how it's on Android, but I guess it can also restrict who and which notifications your device will listen to and display.

So I'm not worried that much.

Tomas Stribrny - NASDAQ:FTNT - Fortinet stuff - TAC Staff Engineer

streeb2021

One question I have on this is that this requires the FortiAuthenticator to be exposed to the Internet whether that be natively via it's public address and port 443 or via a NAT translated/port map option. Either way traffic will hit the FortiAuthenticator from the outside on 443 that previously would not have.  It seems we have no way of stopping any illegitimate 443 traffic getting to the FortiAuth on a firewall that sits in front of it? You have to open the FortiAuth for ALL ips which to me seems a little bit dangerous.  Happy to be reassured :0)

 

I want to turn this on and my customers want me to turn it on but it does make me a little nervous. 

Top Kudoed Authors