Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
kiri
Staff
Staff

Created on ‎01-17-2025 05:55 AM

Article Id 370798

Technical Tip: How to fix 'NAS requires token' when the user has no token

Description

This article describes the error 'NAS forces two-factor auth but user token not defined' and how to resolve it.
Scope FortiAuthenticator 6.x.
Solution

Under some circumstances, FortiAuthenticator may fail a user authentication and log the error in 'NAS forces two-factor auth but user token not defined'.

This is visible under Logging -> Log Access -> Logs:

 

Log Details
Log Record Detail
ID 58101
Timestamp Fri Jan 17 10:16:18 2025
Level information
Action Authentication
Status Failed
Source IP 10.191.19.149
Message Windows AD administrator authentication from 10.191.31.254 (mschap) with no token failed: NAS forces two-factor auth but user token not defined
User fortinet
Log Type
Type Id 20354
Name Authentication Failed NAS Need Token
Sub Category Authentication
Category Event
Description Authentication failed, NAS requires token but user has no token

 

And may also appear in RADIUS debug if debug is enabled:

 

2025-01-17T10:16:18.466558+01:00 fortiauth radiusd[21249]: (0) facauth: Updated auth log 'fortinet' for attempt from 10.191.19.149~10.191.31.254: Windows AD administrator authentication from 10.191.31.254 (mschap) with no token failed: NAS forces two-factor auth but user token not defined

 

Further information on collecting log messages and RADIUS debug may be found here.

 

The default radius policy Authentication factors, 'All configured password and OTP factors', works well for most use cases.

 

pol.png

 

This is in some way dynamic and prompts the user to provide whatever authentication method applies to the respective user.

The same Authentication factors also apply to SAML authentication.

 

saml.png

 

This user, fortinet, is configured with a password only. Another user that has also OTP configured will be prompted by the same policy for the password and the token.

 

user.png

 

This error occurs if the option 'Mandatory password and OTP' is set and the user trying to authenticate has no token.

 

There are 2 solutions:

  1. If the radius policy was incorrectly configured with 'Mandatory password and OTP', OTP is not required, and the user doesn't have OTP. Switching to "All configured password and OTP factors" will solve the issue.
  2. If OTP is mandatory, "Mandatory password and OTP", the user must have OTP configured in order to authenticate.
    All the users without OTP matching this policy will fail to authenticate.
1783
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.