Staff

Technical Tip: Understanding the log message 'Authentication successful with FortiToken' (Event ID 20002)

Forum|Forum|3 months ago
March 4, 2026
0 replies
105 views

Description

This article describes the typical circumstances behind the 'Authentication successful with FortiToken' log entries.

Scope

FortiAuthenticator.

Solution

Event ID 20002 refers to a log entry that records successful authentication events specifically involving FortiToken-based Multi-Factor Authentication (MFA). This log only present login successful event using the soft FortiToken only.

This log is generated when authentication is successful, and a FortiToken method is used as part of the authentication process.

If FortiToken is involved and authentication is successful, the event will be logged under Event ID 20002.

Sample System Event Messages.

Remote LDAP user authentication with FortiToken:

date=2026-03-04 time=10:22:44+0000 oid=8888 logid=20002 cat="Event" subcat="Authentication" level="information" nas="10.10.10.10" action="Authentication" status="Success" msg="Remote LDAP user authentication from 10.10.10.100 with FortiToken successful" user="test"

date=2026-03-04 time=10:22:44+0000 oid=8888 logid=200022 cat="Event" subcat="Authentication" level="information" nas="10.10.10.10" action="Authentication" status="Success" msg="Remote LDAP user authentication from (null) with FortiToken successful" user="test"

Remote LDAP authentication with FortiToken Push ('FTM'):

date=2026-03-04 time=10:22:44+0000 oid=8888 logid=20002 cat="Event" subcat="Authentication" level="information" nas="10.10.10.10" action="Authentication" status="Success" msg="Remote LDAP user authentication from (null) with FortiToken successful (chosen FTM push notification)" user="test"

Windows AD authentication with FortiToken:

date=2026-03-04 time=10:22:44+0000 oid=8888 logid=20002 cat="Event" subcat="Authentication" level="information" nas="10.10.10.10" action="Authentication" status="Success" msg="Windows AD user authentication with FortiToken successful" user="test"

Windows AD administrator authentication with FortiToken Push:

date=2026-03-04 time=10:22:44+0000 oid=8888 logid=20002 cat="Event" subcat="Authentication" level="information" nas="10.10.10.10" action="Authentication" status="Success" msg="Windows AD administrator authentication from (null) with FortiToken successful (chosen FTM push notification)" user="test"

Local user authentication with FortiToken:

date=2026-03-04 time=10:22:44+0000 oid=8888 logid=20002 cat="Event" subcat="Authentication" level="information" nas="10.10.10.10" action="Authentication" status="Success" msg="Local user authentication from 10.10.10.100 (mschap) with FortiToken successful" user="test"

Local user authentication with Cloud token:

date=2026-03-04 time=10:22:44+0000 oid=8888 logid=20002 cat="Event" subcat="Authentication" level="information" nas="10.10.10.10" action="Authentication" status="Success" msg="Local user authentication from 10.10.10.100 with cloud token successful" user="test"

REST API authentication with FortiToken:

date=2026-03-04 time=10:22:44+0000 oid=8888 logid=20002 cat="Event" subcat="Authentication" level="information" nas="REST API" action="Authentication" status="Success" msg="Remote LDAP user authentication from 10.10.10.100 with FortiToken successful" user="test"

Local user authentication with FortiToken Push ('FTM'):

date=2026-03-04 time=10:22:44+0000 oid=8888 logid=20002 cat="Event" subcat="Authentication" level="information" nas="10.10.10.10" action="Authentication" status="Success" msg="Local user authentication with FortiToken successful (chosen FTM push notification)" user="test"

These logs can be viewed under:

Log Access -> Logs -> filter '20002'.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded