Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
funkylicious
SuperUser
SuperUser

Created on ‎12-28-2023 10:01 AM Edited on ‎12-28-2023 10:21 AM

SSLVPN - FCT 2FA display message

Hello,

 

I was wondering if someone could shed some light on how the following can be achieved, if it can.

When 2FA is configured for users that are connecting to SSLVPN, that are either via RADIUS/FortiAuth/FortiToken or using a 3rd party OTP app, I noticed that you can change the banner message that is being displayed in FortiClient, specifically instead of the standard from below to a custom one:

 

Enter token code or no code to send a notification to your FortiToken Mobile

 

 

Can anyone point in the right direction on how to achieve this ? I searched in the Replacement Messages in FortiAuth and FortiGate, but couldnt find it.


Thank you.

geek
geek
Labels:
1118
0 Kudos
1 Solution
funkylicious
SuperUser
SuperUser
In response to dbu

Created on ‎12-29-2023 02:20 AM Edited on ‎12-29-2023 02:23 AM

Unfortunately for the other SSLVPN profile, I dont have access to anything related to the configuration, just to the one of my company.

I saw those replacement msgs, but none have that exact specific message that I see. I might try and delete the default tag and insert some custom text and see what happens in the RADIUS Challenge Reply-Message with FortiToken Mobile Push .

 

L.E. Yep, that did the trick. The custom text I've inserted was visibile in FortiClient upon connecting to the SSLVPN.

geek

View solution in original post

geek
984
14 REPLIES 14
Toshi_Esumi
SuperUser
SuperUser

Created on ‎12-28-2023 10:24 AM

I would assume it must be in the FortiClient configuration under:

<system>

  <ui>

    <replacement_messages>

        .....(content).....

    </replacement_messages>

  </ui>

</system>

But I don't know the format/syntax to replace that particular message. Somebody from FTNT might have the internal info.

 

Toshi

831
0 Kudos
funkylicious
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎12-28-2023 10:51 AM

I somehow doubt it, because I haven't changed anything and on a particular SSLVPN profile/connection the message is changed and when using others the default message is observed.

geek
geek
813
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to funkylicious

Created on ‎12-28-2023 10:57 AM

It probably has multiple message types/attributes depending on the particular 2FA authenticator.

810
0 Kudos
funkylicious
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎12-28-2023 11:51 AM Edited on ‎12-28-2023 11:51 AM

My suspicion is that the RADIUS Access-Challenge attribute is the one that sends that text what I see in the FortiClient and for Fortinet products that one from above is a stardard one, whereas other vendors give you the option to change it.
Maybe someone from staff can confirm it and if there is a way to customize it.

geek
geek
791
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to funkylicious

Created on ‎12-28-2023 12:28 PM

yea. Somebody from FTNT should be able to tall one way or the other.

 

Toshi

777
0 Kudos
dbu
Staff
Staff
In response to funkylicious

Created on ‎12-28-2023 02:21 PM

You can take a packet capture on the FortiAuthenticator and check the details of the RADIUS packets.
Maybe we can see the difference on those packets. 
https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-How-to-run-a-Packet-Capture-with/...

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
754
0 Kudos
funkylicious
SuperUser
SuperUser
In response to dbu

Created on ‎12-29-2023 02:00 AM

From the packet capture in FortiAuth inside RADIUS the Access-Challenge.

 

AVP: t=Reply-Message(18) l=79 val=+Enter token code or no code to send a notification to your FortiToken Mobile
Type: 18
Length: 79
Reply-Message: +Enter token code or no code to send a notification to your FortiToken Mobile

 

 

geek
geek
733
0 Kudos
dbu
Staff
Staff
In response to funkylicious

Created on ‎12-29-2023 02:11 AM

As per Administration guide it says :

Challenge message to support FortiToken Mobile Push for VPN clients

There are two Reply-Messages that the FortiAuthenticator can send to the FortiGate in the RADIUS ACCESS CHALLENGE messages. Each message is prefixed by an uneditable string followed by an editable string (i.e. replacement message in FortiAuthenticator):

  1. If push is not available, FortiAuthenticator will send Prefix: “” followed by Default Replaceable String: “Enter Token Code”. For example; "Enter Token Code".
  2. If push is available, FortiAuthenticator will send Prefix: “+” followed by Default Replaceable String: “Choose FTM Push or Enter Token Code”. For example:;" + Choose FTM Push or Enter Token Code".

 

On FortiAuthenticator i see only these replacement messages connected to RADIUS challenge message :

 

radiusmsg.PNG

 

Can you take another capture using the other profile where language shows different ? 

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
729
funkylicious
SuperUser
SuperUser
In response to dbu

Created on ‎12-29-2023 02:20 AM Edited on ‎12-29-2023 02:23 AM

Unfortunately for the other SSLVPN profile, I dont have access to anything related to the configuration, just to the one of my company.

I saw those replacement msgs, but none have that exact specific message that I see. I might try and delete the default tag and insert some custom text and see what happens in the RADIUS Challenge Reply-Message with FortiToken Mobile Push .

 

L.E. Yep, that did the trick. The custom text I've inserted was visibile in FortiClient upon connecting to the SSLVPN.

geek
geek
985
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.