|
A FortiToken license has to be registered to a FortiGate Serial Number, if there are 2 or more FortiGates in a cluster, they can share the FortiTokens even if the unit that has the tokes assigned is the secondary unit.
However, in 7.4.9, there is a known issue, and if the FortiGate registered with the FortiToken license is not the primary unit, tokens cannot be assigned to users.
For example, if the tokens are assigned to the Serial Number of FortiGate-A, and FortiGate-B is the active unit in the cluster, provisioning will not work.
Note: Only FortiToken provisioning to users (linking a FortiToken to a user in the configuration) is affected.
Users that have already been configured can still use the FortiTokens normally.
Also registering new FortiToken licenses would still work.
In order to confirm if the cluster is affected by this known issue, the output from the following debug commands can be collected:
diagnose fortitoken debug enable
diagnose debug cli 8
diagnose debug enable
Then, after trying to assign an available FortiToken to a user (either via GUI or CLI), in the debug output, the following line can be seen:
ftm_fc_command[593]:{ "d": { "__type": "SoftToken.ProvisionRequest", "__version": "4", "__device_version": "7.0", "__device_build": "2829", "serial_number": "FG4H0Fxxxxxxxxxxx", "__clustered_sns": [ { "sn": "FG4H0Fxxxxxxxxxxx" } ], "tokens": [ { "token": "FTKMOBxxxxxxxxxxx", ...
The rest of the line has been omitted as it's not important for this article.
If only one FortiGate Serial Number is shown the '__clustered_sns' field, this cluster is affected by the known issue.
This issue will be fixed in 7.4.10.
As a possible workaround, a failover to the unit which has the FortiTokens assigned can be done, or a different firmware version can be used.
|
