Fortinet black logo

RADIUS Interoperability Guide

Home FortiAuthenticator 6.2.0 RADIUS Interoperability Guide

Configuring FortiToken Mobile push on FortiGate

6.2.0
6.4.0
6.3.0
6.2.0
6.1.0
Copy Link
Copy Doc ID 7b19ed68-dbf0-11ea-96b9-00505692583a:528330
Download PDF

Configuring FortiToken Mobile push on FortiGate

By default, the RADIUS servers on FortiGate are configured with a short timeout (5 seconds), which is not long enough when using FTM push. The timeout must be long enough to allow for:

  1. Sending the notification.
  2. The end-user to pick up their mobile device and navigate to the FTM app.
  3. The end-user to decide whether to approve or deny the request.

The FortiGate also has a short global authentication timeout (5 seconds). When larger than the RADIUS server timeout, it allows for one or more retries before the FortiGate gives up. This timeout must be at least as long as the RADIUS server timeout.

Both settings can only be configured using the CLI.

To configure the RADIUS server timeout:

config user radius

edit <RADIUS server name>

set timeout <value, e.g. 30>

end

To configure the global authentication timeout:

config system global

set remoteauthtimeout <value, e.g. 60>

end

For FortiGate SSL-VPN configurations using 2FA, depending on the version of FOS, the push notification is either automatically triggered after first factor is validated, or when the end user submits the string push in the VPN client.

Note

For instructions on enabling FortiToken Mobile push notifications on FortiAuthenticator, see: Optional: Enabling FortiToken Mobile push notifications.
Previous
Next

Configuring FortiToken Mobile push on FortiGate

By default, the RADIUS servers on FortiGate are configured with a short timeout (5 seconds), which is not long enough when using FTM push. The timeout must be long enough to allow for:

  1. Sending the notification.
  2. The end-user to pick up their mobile device and navigate to the FTM app.
  3. The end-user to decide whether to approve or deny the request.

The FortiGate also has a short global authentication timeout (5 seconds). When larger than the RADIUS server timeout, it allows for one or more retries before the FortiGate gives up. This timeout must be at least as long as the RADIUS server timeout.

Both settings can only be configured using the CLI.

To configure the RADIUS server timeout:

config user radius

edit <RADIUS server name>

set timeout <value, e.g. 30>

end

To configure the global authentication timeout:

config system global

set remoteauthtimeout <value, e.g. 60>

end

For FortiGate SSL-VPN configurations using 2FA, depending on the version of FOS, the push notification is either automatically triggered after first factor is validated, or when the end user submits the string push in the VPN client.

Note

For instructions on enabling FortiToken Mobile push notifications on FortiAuthenticator, see: Optional: Enabling FortiToken Mobile push notifications.
Previous
Next