F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

msaad3's avatar
msaad3
Icon for Nimbostratus rankNimbostratus
Dec 16, 2023

F5 APM Integration with Forti-Authenticator Mobile Push

Hello, After initial logon page FortiAuthenticator sends back a RADIUS Access-Challenge and includes this message: '+Please enter the token code. You can also submit a blank response to initiate a ...
application delivery
KeesvandenBos's avatar
KeesvandenBos
Icon for MVP rankMVP
Dec 18, 2023

Hi,
Are you only going to use FortiAuthenticator or also LDAP/AD auth?
And only push notifications or also tokencodes?

My normal VPE routine for username/password/token auth would be: 
Logon page -> AD auth -> SSO Credential mapping -> move token variable into password variable -> radius auth -> allow

If you need to send a push notification it would be:
Logon page -> AD auth -> SSO Credential mapping -> <Macro test and replace token> -> radius auth -> allow
Macro test and replace token: Empty Agent with 2 endings. ending one test if session.logon.last.token is empty, if it is assign a variable agent with session.logon.last.password value = push (to send a push message)
Other ending would be the fallback with a variable assign agent -> move token variable into password variable.
Both endings should me allowed.

Hope it make a little sence, if not I could make a drawing of the VPE policy.

Cheers,

Kees

msaad3's avatar
msaad3
Icon for Nimbostratus rankNimbostratus
Dec 18, 2023

Hi Kees,

Thanks for your answer, Fortiauth will do both AD and token check but I'd use AD branch + AD Query to map different AD groups to multiple resources. At logon page the user is prompted with two fields: user and password, the token or empty response is requested from FortiAuth in another response after logon page should this make any difference in the above VPE policy ?

Mahmoud