Description
This article describes how to troubleshoot the ‘Authentication failure’ issue upon accessing FortiGate with 2FA (FortiToken Mobile) due to the wrong date/time and/or NTP problems in FortiGate.
Scope
FortiGate and FortiToken.
Solution
For this specific issue, about the ‘Authentication failure’ error that is being experienced upon trying to access the FortiGate with 2FA using an admin user that has a successfully provisioned FortiToken even if the correct username, password, and FortiToken code is inputted.
This is due to the wrong date/time and/or NTP issues in FortiGate.
This can also be observed if the mobile phone's time settings are incorrect.
Troubleshooting.
Step 1: Using the backup admin account, verify if the FortiToken was successfully provisioned to the other admin user with problems.
FGT # diagnose fortitoken info
FORTITOKEN DRIFT STATUS
FTKMOBxxxxxxxxxx 0 new
FTKMOBxxxxxxxxxx 0 provisioned <----- successfully provisioned (admin2).
FGT # show system admin admin2
config system admin
edit "admin2"
set accprofile "super_admin"
set vdom "root"
set two-factor fortitoken
set fortitoken "FTKxxxxxxxxxxxxx"
set email-to example@email.com
set password ENC SH2ZPWyfet4C9kUh3wgvF8XKEA8Ih+TeSf7hyaJndBvM=
next
end
FGT # show system admin admin2
config user fortitoken
edit " FTKxxxxxxxxxxxxx "
set license "FTMTRIALxxxxxxxx"
set activation-code "EEIP6SGPPW3DH3LW"
set activation-expire 1649933251
set reg-id "da9e054e88abad068c4664c7e4b706b490ad4990d085dfe4"
set os-ver "5.4.2_IOS"
next
Step 2: Check if the FortiGate’s time was synced a long time ago or if the NTP has problems.
It is possible to use the commands below to verify.
Check the mobile phone’s time settings as well.
execute time <----- check if the date/time is correct.
diagnose system ntp status <----- check if the NTP servers are reachable.
Step 3: If there are significant differences in date/time, manually adjust the system time and date. Revert to the original settings once the test has been done.
Also, troubleshoot if the NTP is not synchronized or the NTP servers are unreachable. Refer to the links below:
Technical Tip: Troubleshoot NTP synchronization issue
Technical Tip: Setting the system time
Step 4: Once the time issues have been resolved, retry logging in using the admin credentials with FortiToken 2FA. Test if the FortiGate can be successfully accessed.
Successful authentication and login to FortiGate
If the issue persists, create a TAC ticket for further checking.
Troubleshooting FortiToken cloud.
To troubleshoot an 'Authentication failure' error with FortiToken Cloud, follow these steps to determine if the issue is related to the license:
Step 1: Connect to the FortiGate via Console Cable: Refer to this guide for detailed instructions on connecting to the FortiGate console port:
Technical Tip: How to connect to the FortiGate console port
Step 2: Log in to the FortiGate device using the admin username and password. When prompted, press 'y' to use the FortiToken Mobile push feature.
Step 3: If receiving the error message 'FortiToken Cloud returns error 402: Payment Required', this indicates that the FortiToken license has expired and requires renewal.
Note.
Ensure that before a FortiToken is assigned to an admin user, a backup admin user should be there with a super_admin profile to ensure that the FortiGate can be still accessed if there are problems with the admin account provisioned with FortiToken Mobile 2FA.
Refer to this link to regain access with the admin user due to FortiToken issues if in case it was not done what was mentioned previously.
Troubleshooting Tip: Admin user lost FortiToken / Token is not working
