Description
This article describes how to activate the FortiToken Trial serial numbers included in each FortiGate unit.
FortiGate is shipped with two free FortiTokens Mobile per unit with unique serial numbers. This works very similar to the bought licenses with the EFTMxxx numbers, it will have a real activation code.
Scope
- FortiOS.
- Import FortiToken.
- Activate FortiToken mobile.
- FortiToken Replacement.
Solution
To activate FortiToken Mobile on Android/iPhone/iPad devices, complete the following steps:
- Go to User & Authentication -> FortiTokens. If free FortiToken is not listed, it can be imported by selecting 'Import Free Trial Tokens':
If there is an activation code, then on GUI, create a new Hard Token or Mobile Token:
Locate the 20-digit code on the redemption certificate for the license: EFTMXXXXXXXX.
- Go to User & Device -> FortiTokens and select 'Create New'.
- Select 'Mobile Token’ and enter the 20-digit certificate code in the Activation Code box.
- Select 'OK'.
The same steps can be followed on FortiAuthenticator 'Importing Trial Tokens' or adding a license file for FortiToken Mobile or Hardware token.
Go to Authentication -> User Management -> FortiTokens -> Create New, select FortiToken Mobile, enable Get FortiToken Mobile free trial tokens or use the Activation code 0000-0000-0000-0000-0000.
In order to import trial tokens on FortiAuthenticator it is necessary to have internet reachability to connect with FortiGuard servers.
From CLI on FortiGate:
execute fortitoken-mobile import 0000-0000-0000-0000-0000
- Assign and provision tokens to each user who needs to use two-factor authentication.
- Verify that FortiGate has a messaging service enabled. For FortiToken it is required to have at least one SMTP or SMS server gateway.
- Go to System -> Settings.
- Configure an SMTP server.
From CLI:
config system email-server
set server "notification.fortinet.net"
set port 465
set security smtps
end
Enable authentication, if it is required by the server to send email messages.
If a security mode is selected, make sure the TLS tunnel can come up by importing the custom mail servers CA to the FortiGates CA store.
Configure an SMS server for sending SMS messages to support user authentication.
config system sms-server
edit <name>
set mail-server {string}
next
end
- Add a user using the wizard, or edit an existing one (step 2.3):
- If a new one is added, set on step 3 the email address associated with this user or SMS phone number if configuring an SMS server.
- The 'Two-factor Authentication' checkbox must be enabled.
- Select the FortiToken mobile serial to assign to the user.
- If editing the FortiToken of an existing user, use the 'Send Activation Code' button next to the token field.
- If the SMTP or SMS server is configured fine, the user will receive an activation code made of 16 alphanumeric digits.
On the End user side (Mobile):
- Open the FortiToken Mobile app on the smartphone.
- Select add +.
- Open the email of the user (the one of the code was sent out).
- Open the attached graphic in the email of the QR code and point the mobile device camera at the QR code. The QR code is only included in the email activation mode, it will not be available in an SMS.
- Or choose Select 'Enter Manually' select as a Fortinet account and enter the 16-character activation code contained in the email or SMS.
- After adding the token, its name can be edited.
Troubleshooting notes:
If the token selection is empty on the user profile:
Solution :
- Make sure the tokens are available.
- Make sure the FortiGate system email settings are in place.
