Token code valid time

Forum|Forum|11 years ago
September 29, 2014
3 replies
19437 views

Hi Guys, is there a way to extend the valid time of the token codes? We are sending codes by mail, but the mail delay is sometimes too long to get the code in before it is invalid. would be good to have a time slot with 2 or 3 minutes. My FG is FGB200B, OS is v4.0 build 0632 Thank you for your help. Ditmar

Christopher_McMullan

Staff

I remember this being discussed in 2012 based on customer feedback. I found the bug ID that referenced the discussion for bringing it in as a New Feature Request. It looks like it was never added in OS 4.3, but the command is there in OS 5.0 and 5.2: config system global set two-factor-sms-expiry <int> set two-factor-email-expiry <int> end The value can be anything from 30-300 seconds.

DitmarAuthor

New Member

Thank you, Chris, yes, this works fine in OS 5.2. But there is no way to activate sending the codes by email as I could do in OS 4.3 Do you have an idea how to fix this? there is no choice to set two-factor email and configuring email-to in config user local , edit <user> Thank you Ditmar

Christopher_McMullan

Staff

In OS 5.0 and 5.2, this is how I did it, from start to finish, using SSLVPN access as an example: config system email-server set server mail.domain.ca set auth en set user tokens@domain.ca set password password set security none set port 26 //--this is the port I use in reality set reply-to tokens@domain.ca end config user local edit " email_test" set type password set passwd password set two-factor email //--you can only see email as an option once you create an email server above set email-to user@domain.ca end config user group edit " SSL_users" set member email_test end config firewall policy edit 0 set srcintf wan1 set dstintf internal set srcaddr all set dstaddr all set action ssl-vpn set identity-based enable config identity-based policy edit 1 set schedule always set groups " SSL_users" set service ALL set sslvpn-portal " full-access" end end

DitmarAuthor

New Member

Thank you, Chris, in my test FG200 I missed to configure the mail Server. It really works with OS5.2 as well. One more question: I configured tokencodes by mail in OS 4.3, but this was resetted after updating to 5.2 must I do all configuration for this after next updating again or is it also caused by my uncomplete test Environment?

Christopher_McMullan

Staff

*Maybe*.... Usually, for the FortiGate to reset or clear a setting upon an upgrade, it' s because the destination build has no way of accounting for a setting from an earlier version. A good example is WANOpt rules between 4.3 and 5.0. WANOpt became just another UTM profile in 5.0, which did away with the separate rules. Because of the way the logic changed, there was no way to retain the settings, so it was documented in the equivalent of heavy bolded red letters: " THIS SETTING WILL NOT SURVIVE AN UPGRADE." So, it could be - I' m not certain offhand - either an incomplete setup or a setting that is invalid with the new OS.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded