F5 APM Integration with Forti-Authenticator Mobile Push

Question

Hello,After initial logon page&nbsp;FortiAuthenticator sends back a RADIUS Access-Challenge and includes this message:'+Please enter the token code. You can also submit a blank response to initiate a push notification to your FortiToken Mobile app.'In Fortiauthenticator in order to push login request to a mobile device the client must type&nbsp;'push' in the token field and submit this, to have FortiAuthenticator trigger a push notification. Fortiauthenticator should receive this response via API call to 'https://IP&nbsp;address/api/v1/pushauthresp/'.&nbsp; I think I have to insert an object between logon page and Radius authentication object to respond with 'push' for every request.Flow: Client ---&gt; APM ---&gt; FortiauthenticatorCan someone guide me how I can deal with this case ?Thanks

keesvandenbos · Answer

Hi,Are you only going to use FortiAuthenticator or also LDAP/AD auth?And only push notifications or also tokencodes?My normal VPE routine for username/password/token auth would be:&nbsp;Logon page -&gt; AD auth -&gt; SSO Credential mapping -&gt; move token variable into password variable -&gt; radius auth -&gt; allowIf you need to send a push notification it would be:Logon page -&gt; AD auth -&gt; SSO Credential mapping -&gt; &lt;Macro test and replace token&gt; -&gt; radius auth -&gt; allowMacro test and replace token: Empty Agent with 2 endings. ending one test if session.logon.last.token is empty, if it is assign a variable agent with session.logon.last.password value = push (to send a push message)Other ending would be the fallback with a variable assign agent -&gt;&nbsp;move token variable into password variable.Both endings should me allowed.Hope it make a little sence, if not I could make a drawing of the VPE policy.Cheers,Kees

keesvandenbos · Answer

Hi Mahmoud,So you are first performing AD auth against the FortiAuth.&nbsp;Asking for the tokencode after the first logon page is fine. You could test the received value (empty or tokencode) after this logon page and then based on the outcome do nothing or fill the variable with the word empty.Cheers,Kees

msaad3 · Answer

Hi&nbsp;Kees,Thanks for your answer, Fortiauth will do both AD and token check but I'd use AD branch + AD Query to map different AD groups to multiple resources. At logon page the user is prompted with two fields: user and password, the token or empty response is requested from FortiAuth in another response after logon page should this make any difference in the above VPE policy ?Mahmoud

Forum Discussion

F5 APM Integration with Forti-Authenticator Mobile Push

Recent Discussions

irule execution error

F5 AWAF/ASM learning only from Trusted traffic?

OWA File Upload URIs for WAF Bypass

Curl 7.10.5 < 8.12.0 Integer Overflow (CVE-2025-0725)

Show or List F5 XC Routes in the Web

Related Content

Making Mobile SDK Integration Ridiculously Easy with F5 XC Mobile SDK Integrator

Protecting Your Native Mobile Apps with F5 XC Mobile App Shield

Identity-centric F5 ADSP Integration Walkthrough

Bot Defense for Mobile Apps in XC WAAP Part 1: The Bot Defense Mobile SDK

Mobile Security: Current Challenges & A Vision For The Future