FortiAuthenticator
FortiAuthenticator provides access management and single sign on.
matanaskovic
Staff
Staff
Article Id 198633

Description


This article describes that when push notifications are enabled, users can accept or deny authentication requests directly from a notification on the unit.


Solution

 

Push is a 3-way conversation between:

  • User Smartphone (client)
  • Notification Server (Apple/Google/other)
  • FortiAuthenticator

 

FortiAuthenticator will send the push request to the Notification Server  which will forward it to the client.

The client will be directed to forward their response to the "Public IP/FQDN for FortiToken Mobile".

The port you specify in the "Public IP/FQDN for FortiToken Mobile" setting does not matter, but the final response that reaches your FortiAuthenticator needs to be on port TCP/443.

Note that any changes made to the "Public IP/FQDN for FortiToken Mobile" setting will not be picked up until the FortiAuthenticator has rebooted.


To configure FTM push on FortiAuthenticator.


1) Before push notifications can be enabled, a Public IP/FQDN for FortiToken Mobile must be configured from System -> Administration -> System Access.

If the FortiAuthenticator is behind a firewall, the public IP/FQDN will be an IP/port forwarding rule directed to one of the FortiAuthenticator interfaces.

 


 
1.1) Example for VIP configuration (Port Forwarding):
 

FortiAuthenticator IP= 192.168.1.10

FortiGate's Public IP = X.X.X.X

 

a). Configure the PublicIP:Port in FortiAuthenticator

Go to System > Administration > System Access

- Public IP/FQDN for FortiToken Mobile = X.X.X.X:33443  <---- The port can be any value

 

b). Create VIP object in FortiGate

Go to Policy & Objects > Virtual IPs > Create New.

- External IP address = X.X.X.X

- Mapped IP address = 192.168.1.10

- Port Forwarding = ON

- External service port = TCP/33443 <---- This port matches the port in step (1)

- Map to port = TCP/443  <---- This port needs to be TCP/443

 

c) Create FortiGate Firewall policy

Go to Policy & Objects > IPv4 Policy > Create New.

- Incoming = WAN interface

- Outgoing = LAN interface to FortiAuthenticator

- Source = Any

- Destination = VIP object created in step (2)

- Service = ALL

- NAT = OFF

 

 

2) The interface that receives the approve/deny FTM push responses must have the FortiToken Mobile API service enabled.
 
 
 
 
3) Once configured, FTM push notifications can be enabled for clients through the RADIUS policy in the Authentication factors setting.
 
 

 

 

Detailed authentication flow for Fortitoken Push:

 

 

Other related KBs: