Skip to main content
ergotherego
ergotherego
New Member
May 24, 2017
Question

How to move the free FortiToken mobile licenses to a new VDOM or firewall

  • May 24, 2017
  • 1 reply
  • 24062 views

Recently ran into this today and wanted to post a solution. I have a lab firewall I wanted to test FTKM with, but the firewall uses VDOMs, and the tokens are associated to the root VDOM by default.

 

These are the steps I took to move a token from the root VDOM to the proper tenant VDOM, on a FortiGate 200D running 5.4.4. Most of the work can only be done via CLI I found.

 

Ps. I think Setup step 7 is not actually required assuming everything is working up to that point, as I ended up getting two activation emails.

 

Preparation

1) Get the serial numbers for both tokens from the root VDOM or other firewall

2) Ensure the tokens are not in-use / associated to any users or groups

3) Ensure SMTP server or SMS gateway is configured

4) Create user account(s) with email or SMS contact info (in this example, just a local user)

 

Setup

1) WebUI - Login to the root VDOM and go to User & Device > FortiTokens

2) WebUI - Select the token(s) you want to move and click the Delete button

3) CLI - Enter the VDOM you want the token(s) to be available in

4) CLI - Add the new tokens via their serial number, and enable them

config user fortitoken     edit [ serial number ]     set status enable end

5.A) CLI - You should now see the tokens in a provisioning state via the command "diagnose fortitoken info"

myfirewall (myvdom) # diagnose fortitoken info FORTITOKEN DRIFT STATUS FTKMOBxxxxxxxxxx 0 [style="background-color: #ffff00;"]provisioning[/style]

 

Total activated token: 0 Total global activated token: 0

 

Token server status: reachable

myfirewall (myvdom) #

5.B) WebUI - You should now see the tokens in a pending state under User & Device > FortiTokens in the Status column

6) CLI - Enable two-factor and associate token with a user account (local account in this example)

config user local     edit testuser         set two-factor fortitoken         set fortitoken [ serial number ]     next end

7) CLI - Provision the token using the command "exec fortitoken-mobile provision". This should generate an email/SMS to the user to activate their token.

 

exec fortitoken-mobile provision [ serial number ]

 

8) User - Install/activate token into their smart phone using normal process

9.A) CLI - The state of the token should now be "provisioned" via the command 'diagnose fortitoken info'

9.B) WebUI - The state of the token should now be "Assigned" via the Status column

    1 reply

    makco10
    makco10
    Explorer II
    October 23, 2017

    Clear instructions, cool.

     

    Regards.

    emnoc
    emnoc
    New Member
    October 23, 2017

    You do know the token is not configured to a "vdom",  but  to a user. Your not "moving" a token you are assigning it to a respected user.

     

    Ken

     

    Terms & ConditionsAccessibility statement