Description
This article describes how to activate the FortiToken Mobile license in FortiAuthenticator.
Scope
FortiToken Mobile with FortiAuthenticator.
Solution
- Log in to the FortiAuthenticator Web UI (ensure it has a valid Internet connection).
- Go to Authentication -> User Management -> FortiTokens (in the left-hand menu).
- Select 'Create New', then select 'Mobile FortiToken'.
- Enter the license activation code revealed in the certificate and select 'OK'.
- After receiving verification, check that all Tokens are available under Authentication -> User Management -> FortiTokens. The 'FTKMOB...' serial numbers will match by count into the license number, EFTM, etc.
- This FortiAuthenticator serial number will now have the EFTM license number listed on it when viewed on the support portal.
Note that while end-user token activation is possible to be done entirely offline since FortiAuthenticator version 6.6.1, FortiAuthenticator must be online for the license activation one time.
See our documentation for further information:
FortiToken Mobile: Offline token activation
FortiToken Mobile: Offline token activation
Troubleshooting:
In some cases, the activation process fails and returns an error similar to 'problem with SSL comm layer':
V5.4:
Other errors might be logged as well, such as:
- 'SSL session failed'.
- 'FTM polling error: connection timeout: server connection failed: SSL session failed'.
- 'FTM polling error: problem with SSL comm layer: server connection failed: SSL session failed'.
If this occurs, follow the steps below:
- Make sure the FortiAuthenticator can resolve the fortitokenmobile.fortinet.com FQDN.
In the FortiAuthenticator CLI, type the command below:
execute ping fortitokenmobile.fortinet.com
This should resolve at the following address:
Name: fortitokenmobile.fortinet.com
Address: 173.243.138.84
Address: 173.243.138.84
- Verify that there is no other upstream device to the FortiAuthenticator preventing it from reaching the licensing servers over TCP/443.
- Usually, FortiAuthenticator goes through the FortiGate firewall to reach the internet. If Deep Packet Inspection (DPI) is being performed by FortiGate (or another firewall), the aforementioned errors might be displayed.
- Check whether the internet traffic from FortiGate to FortiAuthenticator is reachable, specifically to see if the internet is reachable but FQDN is not reachable from FortiGate to FortiAuthenticator.
- Create one policy From Firewall for specific Destination FQDN 173.243.138.84, set service "all".
- Check SMTP Server reachability - if the custom mail server is not reachable, try using localhost.
This happens because FortiAuthenticator will only connect to the server that has the valid certificate signed by the Fortinet CA, which means man-in-the-middle is not allowed. To avoid this error, create a policy that allows only FortiAuthenticator IP to reach the internet and does not apply any security profile or DPI.
Additionally, a packet capture can be run on the interface that FortiAuthenticator uses to reach the internet under System -> Network -> Packet Capture (blue play button). It is recommended to increase the Maximum packet value to a value such as 5000 and try an activation. The .pcap file can be downloaded and analyzed in Wireshark to visualize the communication with fortitokenmobile.fortinet.com.
Especially after a migration, make sure that in the support portal, the FortiToken Mobile license is assigned to this FortiAuthenticator serial number (not its HA peer).
Contact the Technical Assistance Center (TAC) and confirm the licensing servers are operational.
