Forum Discussion

msaad3's avatar
Icon for Nimbostratus rankNimbostratus
Dec 16, 2023

F5 APM Integration with Forti-Authenticator Mobile Push


After initial logon page FortiAuthenticator sends back a RADIUS Access-Challenge and includes this message:
'+Please enter the token code. You can also submit a blank response to initiate a push notification to your FortiToken Mobile app.'

In Fortiauthenticator in order to push login request to a mobile device the client must type 'push' in the token field and submit this, to have FortiAuthenticator trigger a push notification. Fortiauthenticator should receive this response via API call to 'https://IP address/api/v1/pushauthresp/'.  I think I have to insert an object between logon page and Radius authentication object to respond with 'push' for every request.

Flow: Client ---> APM ---> Fortiauthenticator

Can someone guide me how I can deal with this case ?


3 Replies

  • Hi,
    Are you only going to use FortiAuthenticator or also LDAP/AD auth?
    And only push notifications or also tokencodes?

    My normal VPE routine for username/password/token auth would be: 
    Logon page -> AD auth -> SSO Credential mapping -> move token variable into password variable -> radius auth -> allow

    If you need to send a push notification it would be:
    Logon page -> AD auth -> SSO Credential mapping -> <Macro test and replace token> -> radius auth -> allow
    Macro test and replace token: Empty Agent with 2 endings. ending one test if session.logon.last.token is empty, if it is assign a variable agent with session.logon.last.password value = push (to send a push message)
    Other ending would be the fallback with a variable assign agent -> move token variable into password variable.
    Both endings should me allowed.

    Hope it make a little sence, if not I could make a drawing of the VPE policy.



    • msaad3's avatar
      Icon for Nimbostratus rankNimbostratus

      Hi Kees,

      Thanks for your answer, Fortiauth will do both AD and token check but I'd use AD branch + AD Query to map different AD groups to multiple resources. At logon page the user is prompted with two fields: user and password, the token or empty response is requested from FortiAuth in another response after logon page should this make any difference in the above VPE policy ?


  • Hi Mahmoud,

    So you are first performing AD auth against the FortiAuth. 
    Asking for the tokencode after the first logon page is fine. You could test the received value (empty or tokencode) after this logon page and then based on the outcome do nothing or fill the variable with the word empty.