Hello,
I was wondering if someone could shed some light on how the following can be achieved, if it can.
When 2FA is configured for users that are connecting to SSLVPN, that are either via RADIUS/FortiAuth/FortiToken or using a 3rd party OTP app, I noticed that you can change the banner message that is being displayed in FortiClient, specifically instead of the standard from below to a custom one:
Enter token code or no code to send a notification to your FortiToken Mobile
Can anyone point in the right direction on how to achieve this ? I searched in the Replacement Messages in FortiAuth and FortiGate, but couldnt find it.
Thank you.
Solved! Go to Solution.
Created on 12-29-2023 02:20 AM Edited on 12-29-2023 02:23 AM
Unfortunately for the other SSLVPN profile, I dont have access to anything related to the configuration, just to the one of my company.
I saw those replacement msgs, but none have that exact specific message that I see. I might try and delete the default tag and insert some custom text and see what happens in the RADIUS Challenge Reply-Message with FortiToken Mobile Push .
L.E. Yep, that did the trick. The custom text I've inserted was visibile in FortiClient upon connecting to the SSLVPN.
I would assume it must be in the FortiClient configuration under:
<system>
<ui>
<replacement_messages>
.....(content).....
</replacement_messages>
</ui>
</system>
But I don't know the format/syntax to replace that particular message. Somebody from FTNT might have the internal info.
Toshi
I somehow doubt it, because I haven't changed anything and on a particular SSLVPN profile/connection the message is changed and when using others the default message is observed.
It probably has multiple message types/attributes depending on the particular 2FA authenticator.
Created on 12-28-2023 11:51 AM Edited on 12-28-2023 11:51 AM
My suspicion is that the RADIUS Access-Challenge attribute is the one that sends that text what I see in the FortiClient and for Fortinet products that one from above is a stardard one, whereas other vendors give you the option to change it.
Maybe someone from staff can confirm it and if there is a way to customize it.
yea. Somebody from FTNT should be able to tall one way or the other.
Toshi
You can take a packet capture on the FortiAuthenticator and check the details of the RADIUS packets.
Maybe we can see the difference on those packets.
https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-How-to-run-a-Packet-Capture-with/...
From the packet capture in FortiAuth inside RADIUS the Access-Challenge.
AVP: t=Reply-Message(18) l=79 val=+Enter token code or no code to send a notification to your FortiToken Mobile
Type: 18
Length: 79
Reply-Message: +Enter token code or no code to send a notification to your FortiToken Mobile
As per Administration guide it says :
There are two Reply-Messages that the FortiAuthenticator can send to the FortiGate in the RADIUS ACCESS CHALLENGE messages. Each message is prefixed by an uneditable string followed by an editable string (i.e. replacement message in FortiAuthenticator):
On FortiAuthenticator i see only these replacement messages connected to RADIUS challenge message :
Can you take another capture using the other profile where language shows different ?
Created on 12-29-2023 02:20 AM Edited on 12-29-2023 02:23 AM
Unfortunately for the other SSLVPN profile, I dont have access to anything related to the configuration, just to the one of my company.
I saw those replacement msgs, but none have that exact specific message that I see. I might try and delete the default tag and insert some custom text and see what happens in the RADIUS Challenge Reply-Message with FortiToken Mobile Push .
L.E. Yep, that did the trick. The custom text I've inserted was visibile in FortiClient upon connecting to the SSLVPN.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.