Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
funkylicious
Contributor III

SSLVPN - FCT 2FA display message

Hello,

 

I was wondering if someone could shed some light on how the following can be achieved, if it can.

When 2FA is configured for users that are connecting to SSLVPN, that are either via RADIUS/FortiAuth/FortiToken or using a 3rd party OTP app, I noticed that you can change the banner message that is being displayed in FortiClient, specifically instead of the standard from below to a custom one:

 

Enter token code or no code to send a notification to your FortiToken Mobile

 

 

Can anyone point in the right direction on how to achieve this ? I searched in the Replacement Messages in FortiAuth and FortiGate, but couldnt find it.


Thank you.

geek
geek
1 Solution
funkylicious

Unfortunately for the other SSLVPN profile, I dont have access to anything related to the configuration, just to the one of my company.

I saw those replacement msgs, but none have that exact specific message that I see. I might try and delete the default tag and insert some custom text and see what happens in the RADIUS Challenge Reply-Message with FortiToken Mobile Push .

 

L.E. Yep, that did the trick. The custom text I've inserted was visibile in FortiClient upon connecting to the SSLVPN.

geek

View solution in original post

geek
14 REPLIES 14
Toshi_Esumi
Esteemed Contributor III

I would assume it must be in the FortiClient configuration under:

<system>

  <ui>

    <replacement_messages>

        .....(content).....

    </replacement_messages>

  </ui>

</system>

But I don't know the format/syntax to replace that particular message. Somebody from FTNT might have the internal info.

 

Toshi

funkylicious

I somehow doubt it, because I haven't changed anything and on a particular SSLVPN profile/connection the message is changed and when using others the default message is observed.

geek
geek
Toshi_Esumi
Esteemed Contributor III

It probably has multiple message types/attributes depending on the particular 2FA authenticator.

funkylicious

My suspicion is that the RADIUS Access-Challenge attribute is the one that sends that text what I see in the FortiClient and for Fortinet products that one from above is a stardard one, whereas other vendors give you the option to change it.
Maybe someone from staff can confirm it and if there is a way to customize it.

geek
geek
Toshi_Esumi
Esteemed Contributor III

yea. Somebody from FTNT should be able to tall one way or the other.

 

Toshi

dbu

You can take a packet capture on the FortiAuthenticator and check the details of the RADIUS packets.
Maybe we can see the difference on those packets. 
https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-How-to-run-a-Packet-Capture-with/...

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
funkylicious

From the packet capture in FortiAuth inside RADIUS the Access-Challenge.

 

AVP: t=Reply-Message(18) l=79 val=+Enter token code or no code to send a notification to your FortiToken Mobile
Type: 18
Length: 79
Reply-Message: +Enter token code or no code to send a notification to your FortiToken Mobile

 

 

geek
geek
dbu

As per Administration guide it says :

Challenge message to support FortiToken Mobile Push for VPN clients

There are two Reply-Messages that the FortiAuthenticator can send to the FortiGate in the RADIUS ACCESS CHALLENGE messages. Each message is prefixed by an uneditable string followed by an editable string (i.e. replacement message in FortiAuthenticator):

  1. If push is not available, FortiAuthenticator will send Prefix: “” followed by Default Replaceable String: “Enter Token Code”. For example; "Enter Token Code".
  2. If push is available, FortiAuthenticator will send Prefix: “+” followed by Default Replaceable String: “Choose FTM Push or Enter Token Code”. For example:;" + Choose FTM Push or Enter Token Code".

 

On FortiAuthenticator i see only these replacement messages connected to RADIUS challenge message :

 

radiusmsg.PNG

 

Can you take another capture using the other profile where language shows different ? 

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
funkylicious

Unfortunately for the other SSLVPN profile, I dont have access to anything related to the configuration, just to the one of my company.

I saw those replacement msgs, but none have that exact specific message that I see. I might try and delete the default tag and insert some custom text and see what happens in the RADIUS Challenge Reply-Message with FortiToken Mobile Push .

 

L.E. Yep, that did the trick. The custom text I've inserted was visibile in FortiClient upon connecting to the SSLVPN.

geek
geek
Labels
Top Kudoed Authors