Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
rbraha
Staff
Staff

Created on ‎09-24-2023 11:52 PM Edited on ‎11-18-2025 05:59 AM By Moderator

Article Id 275159

Technical Tip: FortiIdentity Cloud's basic troubleshooting debugging from FortiGate and FortiAuthenticator

Description This article describes FortiIdentity Cloud's basic troubleshooting when it is configured on FortiGate or FortiAuthenticator.
Scope FortiGate, FortiAuthenticator.
Solution

There are various advantages to using the FortiIdentity Cloud.

 

  1. Centralized management for all Tokens across platforms, FortiGate/FortiAuthenticator.
  2. One FortiToken Cloud license for all the FortiGate/FortiAuthenticators.
  3. Cross-platform Token migration natively.
  4. Push notifications are sent to FortiIdentity Cloud services, which is more secure and simplifies provisioning.

 

It is easily possible to associate Tokens with users on FortiGate or FortiAuthenticator:

 

ftc1.png

 

After selecting the option for FortiIdentity  Cloud, FortiAuthenticator will update the FortiIdentity  Cloud service, and an activation email will be sent at the same time with a QR code.

Log in to FortiIdentity Cloud, and some general information will appear about FortiProducts selected to use FortiIdentity  Cloud, as well as users, realms, and SMS credit.

 

Also, if 'Users' is selected, the associated user will be visible with the FortiIdentity  Cloud that is enabled on FortiGate and FortiAuthenticator.

 

ftc2png.png

 

FortiIdentity Cloud is enabled by default on FortiGate; it can only be enabled globally by FortiGate and not by VDOM.

 

fgt # config global

fgt (global) # config system global

fgt (global) # set fortitoken-cloud enable

 

FortiToken Cloud CLI on FortiGate:

 

ftc3.png

 

Some troubleshooting commands to run on FortiGate CLI:

 

 config global

 diagnose debug console timestamp enable

 diagnose fortitoken-cloud debug enable

 diagnose debug application fnbamd –1

 diagnose debug application httpsd 255 

 diagnose debug enable

 

If using the FortiIdentity Token while connecting to SSL VPN, include:

 

diagnose debug application sslvpn –1

 

If using the FortiIdentity Token while connecting to IPsec, include:

 

diagnose debug application ike –1

diagnose debug application eap proxy –1

 

If using a hardware box and offloading is enabled, disable offloading to collect the logs.

Follow this article: Technical Tip: FortiGate Disable Hardware Acceleration.

 

To disable the debugging:

 

diagnose debug disable
diagnose debug reset

 

From debug logs on the FortiGate side for user test, see the below output:

 

ftc4.png

 

The output below is for a different test user: pirlo from FortiAuthenticator.

Check Radius debug logs from FortiAuthenticator: https://<FAC-IP>/debug/radius.

 ftc4.png

 

On the FortiIdentity  Cloud portal, it is possible to see any errors related to users' authentications from the logs: Logs- Authentication.

 

ftc6.png 

It is also possible to download a copy of the user authentication, filter for any date, and export this file in a CSV format.

 

ftc5.png
1544
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.