Description
This article describes how to activate the FortiToken mobile license in FortiAuthenticator.
Scope
FortiToken mobile with FortiAuthenticator.
Solution
- Log in to the FortiAuthenticator WebUI (ensure it has a valid Internet connection).
- Go to Authentication -> User Management -> Fortitokens (in the left-hand menu).
- Select 'Create New', then select 'Mobile FortiToken'.
- Enter the activation code revealed in the certificate and select 'OK'.
- After receiving verification, check all Tokens are available under Authentication -> User Management -> FortiTokens.
Here is an explanation of how FortiToken Mobile provisioning works:
- FortiAuthenticator generates a seed for FortiToken Mobile, and other parameters (activation code, SN, HOTP/TOTP, OTP length, PIN, FTM logo), then sends it to fortitokenmobile.fortinet.com.
- FortiAuthenticator sends an activation code to the end user via email/SMS.
- The end-user enters the activation code (manual or QR scan) in FortiToken Mobile.
- FortiToken Mobile connects to fortitokenmobile.fortinet.com and:
- Gives activation code, mobile OS version, and app regid.
- Takes FortiToken Mobile seed and other parameters.
- FortiAuthenticator polls fortitokenmobile.fortinet.com to see if FortiToken Mobile was activated. If yes, it gets the mobile OS version and app regid, then marks FortiToken Mobile in config as activated.
Troubleshooting:
In some cases, the activation process fails and returns an error similar to 'problem with SSL comm layer':
V5.4:
Other errors might be logged as well, such as:
- 'SSL session failed'.
- 'FTM polling error: connection timeout: server connection failed: SSL session failed'.
- 'FTM polling error: problem with SSL comm layer: server connection failed: SSL session failed'.
If this occurs, follow the steps below:
- Make sure the FortiAuthenticator can resolve the fortitokenmobile.fortinet.com FQDN (the old URL was directregistration.fortinet.com).
In the FortiAuthenticator CLI, type the command below:
execute ping fortitokenmobile.fortinet.com
One of the following addresses should be resolved:
Name: fortitokenmobile.fortinet.com
Address: 173.243.138.84
Name: fortitokenmobile.fortinet.com
Address: 208.91.113.27
Name: fortitokenmobile.fortinet.com
Address: 208.91.113.29
One of the following addresses should be resolved:
Name: fortitokenmobile.fortinet.com
Address: 173.243.138.84
Name: fortitokenmobile.fortinet.com
Address: 208.91.113.27
Name: fortitokenmobile.fortinet.com
Address: 208.91.113.29
- Confirm there is no other device upstream to the FortiAuthenticator preventing it from reaching the licensing servers over TCP/443.
- Usually, FortiAuthenticator goes through the FortiGate firewall to reach the internet. If DPI (Deep Packet Inspection) is being performed by FortiGate (or another firewall), the errors aforementioned might be displayed.
This happens because FortiAuthenticator will ONLY connect to the server that has the valid certificate signed by the Fortinet CA, therefore, man-in-the-middle is not allowed. To avoid this error, create a policy that allows only FortiAuthenticator IP to reach the internet and does not apply any security profile or DPI.
Additionally, packet capture can be run on the port that FortiAuthenticator uses to reach the internet under System -> Network -> Packet Capture (blue play button). It is recommended to increase the Maximum packet value to a value such as 5000 and try an activation. The .pcap file can be downloaded and analyzed in Wireshark to give information regarding the communication with fortitokenmobile.fortinet.com.
- Contact the Technical Assistance Center (TAC) and confirm the licensing servers are operational.
