Fortinet black logo

Cookbook

FortiToken Mobile Push

Copy Link
Copy Doc ID 5be0d1a4-3f0d-11eb-96b9-00505692583a:927108
Download PDF

FortiToken Mobile Push

FortiToken Mobile Push allows authentication requests to be sent as push notifications to the end user's FortiToken Mobile application.

The FortiToken Mobile push service operates as follows:

  1. FortiGate sends a notification request by making a TLS connection with either Apple (for iOS) or Google (for Android) notification servers. Notification data may include the recipient, session, FortiGate callback IP and port, and so on.
  2. The notification service from either Apple or Google notifies the user's mobile device of the push request.
  3. The FortiToken Mobile application on the user's mobile displays a prompt for the user to either Approve or Deny the request.

To configure FortiToken Mobile push services using the CLI:

config system ftm-push

set status enable

set server-ip <ip-address>

set server-port [1-65535]

end

The default server port is 4433.

The server IP address is the public IP address of the FortiOS interface that FortiToken Mobile calls back to. FortiOS uses this IP address for incoming FortiToken Mobile calls.

If an SSL VPN user authenticates with their token, then logs out and attempts to reauthenticate within a minute, a Please wait x seconds to login again message displays. This replaces a previous error/permission denied message. The x value depends on the calculation of how much time is left in the current time step.

config system interface

edit "guest"

set allowaccess ftm

next

end

Note

FortiOS supports FortiAuthenticator-initiated FortiToken Mobile Push notifications for users attempting to authenticate through an SSL VPN and/or RADIUS server (with FortiAuthenticator as the RADIUS server).

FortiToken Mobile Push

FortiToken Mobile Push allows authentication requests to be sent as push notifications to the end user's FortiToken Mobile application.

The FortiToken Mobile push service operates as follows:

  1. FortiGate sends a notification request by making a TLS connection with either Apple (for iOS) or Google (for Android) notification servers. Notification data may include the recipient, session, FortiGate callback IP and port, and so on.
  2. The notification service from either Apple or Google notifies the user's mobile device of the push request.
  3. The FortiToken Mobile application on the user's mobile displays a prompt for the user to either Approve or Deny the request.

To configure FortiToken Mobile push services using the CLI:

config system ftm-push

set status enable

set server-ip <ip-address>

set server-port [1-65535]

end

The default server port is 4433.

The server IP address is the public IP address of the FortiOS interface that FortiToken Mobile calls back to. FortiOS uses this IP address for incoming FortiToken Mobile calls.

If an SSL VPN user authenticates with their token, then logs out and attempts to reauthenticate within a minute, a Please wait x seconds to login again message displays. This replaces a previous error/permission denied message. The x value depends on the calculation of how much time is left in the current time step.

config system interface

edit "guest"

set allowaccess ftm

next

end

Note

FortiOS supports FortiAuthenticator-initiated FortiToken Mobile Push notifications for users attempting to authenticate through an SSL VPN and/or RADIUS server (with FortiAuthenticator as the RADIUS server).