Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Yngve0
New Contributor II

Multiassigment for FortiTokenMobil

I consider using Fortitoken TwoFactorAuthentication for both administrative and SSL-VPN-authentication. 

 

So far, so god. But the problem is that I as a sys-admin need both to have a administrative account and a VPN-account on the unit. There are also 5 branch offices with FortiGates where I need administrative account to.

 

And here is the problem; It seems like there are a one2one2one-relationship between accounts, FortiToken and mobile phone. I can only have one FortiToken on my phone and one Fortitoken cannot be assigned to both a VPN-account and a administrative account; neither on the same device or across devices.

 

Any good solutions or workaround here?

 

 

 

 

1 Solution
dred_FTNT

I recommend you take a look at new FortiToken Cloud service (FTC) available if you are running FOS 6.2 or later.  It is a perfect fit for your scenario.  You can try it anyway for free. (https://ftc.fortinet.com)   With the current version of FTC,  you can use the same token issued by FTC for all your FGT admin instances across multiple FGT devices and VPN user instances across multiple FGT devices/VDOMs as long as the username in the FGT is the same.  

In an upcoming release we will allow the FTC customer to designate when the same username should be treated as a different FTC user if in multiple FGT/VDOMs.  But, as I said, the current version is tailor made for what you need.  

David Redberg Fortinet Product Manager

View solution in original post

10 REPLIES 10
xsilver_FTNT
Staff
Staff

Hello,

your observations are almost correct.1. mobile token is bond to license pack, and as any license this pack is via activation process bond to serial number of unit (or cluster) from which was license activated. Therefore you are not allowed to use same mobile token on another unit (unless this other unit is cluster member with original requestor and license holder). Regardless you can copy config parts it will not work as any token management (user assignment etc) is made through FortiGuard/FortiCare global network, which serves as universal meeting point between FortiGate units and mobile devices.

 

2. with FortiToken Mobile you are not able to assign one token to two entities like local user and admin account. But you can do so with FortiToken 200 or 200-CD model. But this use of 200 model line is limited just to one admin and one user combination, same token cannot be assigned to multiple users at a same time.

 

3. Solution for same token on multiple FortiGate units is in use of FortiToken 200 or better 200-CD model.

Model 200 is activated through FortiGuard and once activated the token is locked on FortiGuard by one-time activation lock. No one can activate the same token on another unit, not even from the same unit, unless the lock is administratively released by Fortinet TAC engineer. So you can activate token on FortiGate-A and then via ticket ask for lock release (we need to know  token SN and last activation unit SN (if possible)). After lock is released you will be able to make one another activation on FortiGate-B unit. Repeat release-activate process as many times as needed.

Model 200-CD has all needed data distributed with the token on media like CD. Therefore the token seed is not stored in any publically accessible database, no online activation and access to FortiGuard is needed, therefore no protective lock applied. You need just the CD and then you can activate the token via CD on any number of FortiGate units.

 

Hope it's a bit more clear now.

Tomas Stribrny - NASDAQ:FTNT - Fortinet stuff - TAC Staff Engineer

Yngve0
New Contributor II

Hi and thanks for respond. My experience is based on Fortitoken Mobike service on a Fortigate, not the Fortitoken appliance.

 

As long as I dont can use FortiToken Mobile to secure both administrative access to my whole FGT-enviroment (6 locations) and user/VPN access, the product make no sense for me.

 

I find this limitation unlocigal and hope this would be solved during development of the product.

 

Yngve

xsilver_FTNT

I'm afraid that this limitation is intended design. It makes environment stronger as single token compromise do not affect whole network.

 

Multi-host use of token does make sense with hardware tokens, as you are not going to carry whole keyring full of tokens. But mobile token is just app in your telephone and it can contain multiple software tokens, so you still carry one device.

Tomas Stribrny - NASDAQ:FTNT - Fortinet stuff - TAC Staff Engineer

FTGmaster
New Contributor

Hi

 

It could be useful for us too. We can't buy a fortiautenticator (it's not a smart and economical solution) for a couple or till 4-5 fgt units. We would like that 'fortitoken mobile' could be assign to more than one fortigate.

 

FCNSA - FCNSP Certified FortiGate 20D - 30B - 40C - 50B - 60B - 60C - 80C - 100D - 110C FortiAnalyzer 100C FortiAP 220B HA

FCNSA - FCNSP Certified FortiGate 20D - 30B - 40C - 50B - 60B - 60C - 80C - 100D - 110C FortiAnalyzer 100C FortiAP 220B HA
xsilver_FTNT

you can definitely get in touch with our sales and open NFR (new feature request), but as I said, mobile token (single token) is part of bundle, that bundle has license SN (serial number), and that bundle SN is (as almost any other license)  bond to SN of the unit where it is used. Only possibility to have a single mobile token license on multiple unit is to cluster the FGT units, then all the members will share the license.

 

As you can carry multiple mobile tokens inside single fortitoken mobile app (I have some 6 tokens on IOS8), then I do not see any limitation for the tokens and units. Simply has different token on each FGT unit and all of them in single mobile phone app.

As you would have different tokens then it makes admin access stronger and more secure as if single token get compromised you are not loosing access to all the units, just one is endangered.

 

If you want singel token an multiple devices and do not want to centralize the access (FortiAuthenticator) then I would go by FortiToken 200 or even 200-CD hardware model. Single token activated on multiple FortiGate units.

Tomas Stribrny - NASDAQ:FTNT - Fortinet stuff - TAC Staff Engineer

FortiRack_Eric
New Contributor III

Workaround is connect via SSL-VPN to main unit via token and have a IPsec network to other units.

 

Otherwise FortiAuth is the way to go. Compared to other solutions it's a really cost effective solution.

Rackmount your Fortinet --> http://www.rackmount.it/fortirack

 

Rackmount your Fortinet --> http://www.rackmount.it/fortirack
pruch_FTNT
Staff
Staff

Is there a limit of Tokens which can be integratetd in the mobile App ?

I have a customer who asks if he can have more then 15 different Tokens inside his mobile App....

 

Regards

Patrick

PaulW

It's an old topic sorry to unearth it ;)

 

Since 2014 until know no possibility to have one mobile token to multiple fortigate firewall?

I have to manage more than twenty firewalls around the world, it's not really easy to find which one is the one...

 

Thanks Paul

dred_FTNT

I recommend you take a look at new FortiToken Cloud service (FTC) available if you are running FOS 6.2 or later.  It is a perfect fit for your scenario.  You can try it anyway for free. (https://ftc.fortinet.com)   With the current version of FTC,  you can use the same token issued by FTC for all your FGT admin instances across multiple FGT devices and VPN user instances across multiple FGT devices/VDOMs as long as the username in the FGT is the same.  

In an upcoming release we will allow the FTC customer to designate when the same username should be treated as a different FTC user if in multiple FGT/VDOMs.  But, as I said, the current version is tailor made for what you need.  

David Redberg Fortinet Product Manager
Labels
Top Kudoed Authors