Description
This article describes how to resend activation codes for mobile FortiTokens registered on a FortiAuthenticator or FortiGate.
Useful links:
Fortinet Documentation
Add FortiToken multi-factor authentication
https://docs.fortinet.com/document/fortigate/latest/administration-guide/332870/add-fortitoken-multi...
User creation and token assignment: https://docs.fortinet.com/document/fortiauthenticator/6.0.0/administration-guide/704851/user-managem...
Token management, creation and import: https://docs.fortinet.com/document/fortiauthenticator/6.0.0/administration-guide/115040/fortitoken-p...
Scope
FortiAuthenticator.
Solution
FortiAuthenticator can be used to assign mobile FortiTokens (and hardware tokens) to users instead of FortiGates, meaning that the same user can use the same token across multiple FortiGates.
When mobile tokens are assigned to a user, this should trigger an authentication code being sent via SMS or email, depending on the FortiAuthenticator configuration and user information.
The user then has a few hours to activate the token with the code before it expires.
Should the activation code be expired (or deleted in the phone), a new activation code can be sent without needing to revoke and re-assign the token:
1) Go to: Authentication -> User Management -> FortiTokens
2) Edit the token assigned to that user. It should be in ‘Pending’ state.
3) Click on ‘[Re-start Activation]’
4) A new activation code will be sent.
FortiGate
FortiGate can be used to assign mobile FortiTokens (and hardware tokens) too.When mobile tokens are assigned to a user, this should trigger an authentication code being sent via SMS or email, depending on the FortiGate configuration and user information.The user then has a few hours to activate the token with the code before it expires.Should the activation code be expired (or deleted in the phone), a new activation code can be sent without needing to revoke and re-assign the token:
1) Go to: User & Device -> User Definition
2) Right-click on the user.
3) Click on ‘Send Activation Code’4) A new activation code will be sent.
In CLI:
Ornstein-kvm40 (local) # edit "guest"
Ornstein-kvm40 (guest) # show
config user local
edit "guest"
set type password
set two-factor fortitoken
set fortitoken "FTKMOB162CE428C5"
set email-to "sadsadad@edadasd"
set passwd ENC YRaEoEEs7En1v5NnwLRkpXn5llmVD4un83V8CijzYTOV5ka9IhB/gcTE/qEceiZn03jvpno4**bleep**72CWaDZQxSbj894mdhy0czE/uLjs8SS9VLRm9xyV7TVJBVLxwdPATZDpd8JC+XsiNzeNyPdu0nYX5DP6cB4IvCBNC6XIBKbV5bs5/cu7ge8pg0kqjKJ2FhDui3w==
next
end
Note:
Now it is also possible to assign the cloud Token by 'right-click' on the user. Previously in older versions, this option was not available.
