Description
This article describes how to activate the FortiToken Mobile license in FortiAuthenticator.
Scope
FortiToken Mobile with FortiAuthenticator.
Solution
- Log in to the FortiAuthenticator Web UI (ensure it has a valid Internet connection).
- Go to Authentication -> User Management -> FortiTokens (in the left-hand menu).
- Select 'Create New', then select 'Mobile FortiToken'.
- Enter the license activation code revealed in the certificate and select 'OK'.
- After receiving verification, check that all Tokens are available under Authentication -> User Management -> FortiTokens. The 'FTKMOB...' serial numbers will match by count into the license number, EFTM, etc.
- This FortiAuthenticator serial number will now have the EFTM license number listed on it when viewed on the support portal.
Note that while end-user token activation is possible to be done entirely offline since FortiAuthenticator version 6.6.1, FortiAuthenticator must be online for the license activation one time.
See our documentation for further information:
FortiToken Mobile: Offline token activation
FortiToken Mobile: Offline token activation
Troubleshooting:
In some cases, the activation process fails and returns an error similar to 'problem with SSL comm layer':
V5.4:
Other errors might be logged as well, such as:
- 'SSL session failed'.
- 'FTM polling error: connection timeout: server connection failed: SSL session failed'.
- 'FTM polling error: problem with SSL comm layer: server connection failed: SSL session failed'.
If this occurs, follow the steps below:
- Make sure the FortiAuthenticator can resolve the fortitokenmobile.fortinet.com FQDN.
In the FortiAuthenticator CLI, type the command below:
execute ping fortitokenmobile.fortinet.com
This should resolve at the following address:
Name: fortitokenmobile.fortinet.com
Address: 173.243.138.84
Address: 173.243.138.84
- Confirm there is no other device upstream to the FortiAuthenticator preventing it from reaching the licensing servers over TCP/443.
- Usually, FortiAuthenticator goes through the FortiGate firewall to reach the internet. If Deep Packet Inspection (DPI) is being performed by FortiGate (or another firewall), the errors aforementioned might be displayed.
This happens because FortiAuthenticator will ONLY connect to the server that has the valid certificate signed by the Fortinet CA, therefore, man-in-the-middle is not allowed. To avoid this error, create a policy that allows only FortiAuthenticator IP to reach the internet and does not apply any security profile or DPI.
Additionally, a packet capture can be run on the interface that FortiAuthenticator uses to reach the internet under System -> Network -> Packet Capture (blue play button). It is recommended to increase the Maximum packet value to a value such as 5000 and try an activation. The .pcap file can be downloaded and analyzed in Wireshark to visualize the communication with fortitokenmobile.fortinet.com.
- Especially after a migration, make sure that in the support portal, the FortiToken Mobile license is assigned to this FortiAuthenticator serial number (not its HA peer).
- Contact the Technical Assistance Center (TAC) and confirm the licensing servers are operational.
