Binding the token to the device is enforced and the seeds are always encrypted at rest and in motion.ĭownload the Fortinet FortiToken Mobile Datasheet (PDF). The token seeds are generated dynamically, minimizing online exposure. What makes this mobile OTP application superior to others on the market is that while being simple to use for the enduser, and easy to administer and provision for the system administrator, it is actually more secure than the conventional hard token. Download the best VPN software for multiple devices. WiFi-only devices supported (for over-the-air token activation) This Free FortiClient VPN App allows you to create a secure Virtual Private Network (VPN) using SSL VPN 'Tunnel Mode' connection between your iOS. The VPN-only version of FortiClient offers SSL VPN and IPSecVPN, but does not include any support.iOS (iPhone, iPod Touch, iPad), Android, Windows Phone 8.Reduces costs and complexity by using your existing FortiGate as the two-factor authentication server.
Scalable solution leveraging existing end-user devices offers low entry cost and TCO.Perpetual token license and unlimited device transfers eliminates annual subscription fees.Unique token provisioning service via FortiGuard™ minimizes provisioning overhead and ensures maximum seed security.FortiGate has an integrated authentication server for validating the OTP as the second authentication factor for SSL VPN, IPSec VPN, Captive Portal and Administrative login, thereby eliminating the need for the external RADIUS server ordinarily required when implementing two-factor solutions. Leverage Existing Fortinet Platformsīesides offering out-of-the-box interoperability with any time-based OATH compliant authentication server, such as the FortiAuthenticator from Fortinet, the FortiToken can also be used directly with the FortiGate® consolidated security platform, including High Availability configurations.
This application makes Android and iOS devices (iPhone, iPad or iPod Touch) behave like a hardware-based OTP token without the hassles of remembering and carrying yet another device.
It is the client component of Fortinet’s highly secure, simple to use and administer, and extremely cost effective two factor solution for meeting your strong authentication needs.
First you email (or better deploy via MDM) the P12 certificate to the iOS device.Superior Strong Authentication Using Your SmartphoneįortiToken Mobile is an OATH compliant, time-based One-Time-Password (OTP) generator application for the mobile device. That's it for the FortiGate configuration. It would be nice to define this range in an address object.Ĭreate the firewall policy. Make a static route for this newly created range. Assuming the WAN interface is called "wan" config vpn ipsec Then in FortiGate, create the CA cert entry:Ĭreate interface base Phase 1. You will need this information in setting up the user group in FortGate in later stage.įirst, you need to have your CA cert exported - you only need the CA cert, no need to export the key. At your domain controller, open a command prompt and enter the following: Once the DC and CA (actually can be on the same computer for lab exercise demo) ready, you need to create a user group, say "VPN" in Active Directory Users and Computers. This application has to receive UDP traffic on specific port, but no UDP traffic is received (TCP traffic works). The iOS application has to connect to a server using the VPN connection. iPad successfully connects to VPN Server with SSL-VPN. IP address of your DC in this example is 192.168.1.1 I'm a Fortinet VPN User facing troubles with an Apple iOS (iPad and iPhone) application using UDP traffic. Without this, you cannot really do LDAPS and hance authtication information will be travel in plain text from FortiGate to MSADDC. You need a working Microsoft Active Directory Domain with Enterprise CA enabled.
Certificate based VPN (do not allow to use preshare key and allow on demand VPN with iOS device)Īll in one shot! This example uses FortiOS 4.0 MR3 Patch 15 (FOS 4.3.15).User credential checked against Active Directory (over LDAPS).