Troubleshooting Tip: Admin is unable to login due to unsuccessful 2FA configuration with mobile Tokens

Description
 

This article describes how to resolve an issue where the 2FA configuration with mobile Tokens is incomplete and the admin is logged out.

Scope

FortiGate.

Solution

The admin user is unable to login to FortiGate, as 2FA has been enabled but the admin user is logged out from GUI without activating the mobile Token on the mobile Token application.
As the 2FA has been enabled for the admin user while logged in to the unit, it will ask for a Token code along with the credentials.
However, because that mobile Token was not activated on the admin user mobile application, the admin will not have any Token code to enter and access the unit.

The following are possible solutions:

1. If the admin has taken a config backup before configuring 2FA:

• Flash format the FortiGate.
• Load the same firmware version on which the backup has been taken.
• Restore the config backup to get back the unit access.
  

2. If FortiManager manages the FortiGate, remove the FortiToken assigned to the super admin from FortiManager, allowing access to the        FortiGate without a token request.

• On the FortiManager:
• Go to Policy & Objects -> User Definition edit the user and uncheck/disable the FortiToken.
• Install a policy package to the FortiGate using the steps: Install a policy package.

3. If the admin has not taken a config backup before configuring 2FA:

• Flash format the FortiGate.
• Load the same firmware version or any compatible firmware version and perform the configuration on the unit from scratch.
  

Furthermore, make sure that a config backup has been taken before enabling 2FA for admin user and, if possible, create an additional super admin user for optimal insurance.

Beyond the essential best practices explored above, such as regularly scheduling configuration backups and maintaining a secondary admin account in case two-factor authentication becomes unavailable, it is also advised to become familiar with the use of the REST API on FortiGate.

For example, in situations where no backup exists and there is no alternative admin user available, having an API user already configured with appropriate permissions allows for easy retrieval of the configuration backup.

This can be done at any time using only the FortiGate IP address and the generated API token.

Example of a Basic Setup, creating and store an API user on FortiGate:

config system api-user
edit "API_user"
set api-key ENC <encrypted_key>
set accprofile "super_admin"
set vdom "root"
next
end

After saving the configuration, select the 'Regenerate API Key' button. A new token will be generated. This token must be saved securely, as it serves as the password for API access.

Once configured, even if access to the standard admin accounts is lost, it will still be possible to retrieve backups, or perform additional tasks depending on the privileges assigned to the API user.

Example to download a configuration backup:

https://<FortiGate-IP>/api/v2/monitor/system/config/backup?scope=global&access_token=<API_Token> 

Further Information about RestAPI as alternative to keep safe with backup done:

Technical Tip: Get backup config file on FortiGate using RestAPI via Python script

Related articles:

• Technical Tip: Forti-Mobile token configuration in detail
• Technical Tip: FortiGate Flash Format process
• Troubleshooting Tip: Admin user lost FortiToken / Token is not working