FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pdelapena
Staff
Staff
Article Id 208694

Description

 

This article describes how to troubleshoot the ‘Authentication failure’ issue upon accessing FortiGate with 2FA (FortiToken Mobile) due to the wrong date/time and/or NTP problems in FortiGate.

 

Scope

 

FortiGate and FortiToken.

 

Solution

 

For this specific issue, about the ‘Authentication failure’ error that is being experienced upon trying to access the FortiGate with 2FA using an admin user that has a successfully provisioned FortiToken even if the correct username, password, and FortiToken code is inputted.

 

This is due to the wrong date/time and/or NTP issues in FortiGate.

This can also be observed if the mobile phone's time settings are incorrect.

pdelapena_0-1649334985425.png


Troubleshooting.

 

Step 1: Using the backup admin account, verify if the FortiToken was successfully provisioned to the other admin user with problems.

FGT # diagnose fortitoken info

FORTITOKEN      DRIFT STATUS
FTKMOBxxxxxxxxxx 0    new
FTKMOBxxxxxxxxxx 0    provisioned   <----- successfully provisioned (admin2)

 

FGT # show system admin admin2

config system admin
    edit "admin2"
        set accprofile "super_admin"
        set vdom "root"
        set two-factor fortitoken
        set fortitoken "FTKxxxxxxxxxxxxx"
        set email-to example@email.com
        set password ENC SH2ZPWyfet4C9kUh3wgvF8XKEA8Ih+TeSf7hyaJndBvM=
    next
end

 

FGT # show system admin admin2

config user fortitoken
    edit " FTKxxxxxxxxxxxxx "
        set license "FTMTRIALxxxxxxxx"
        set activation-code "EEIP6SGPPW3DH3LW"
        set activation-expire 1649933251
        set reg-id "da9e054e88abad068c4664c7e4b706b490ad4990d085dfe4"
        set os-ver "5.4.2_IOS"
    next

 

Step 2: Check if the FortiGate’s time was synced a long time ago or the NTP have problems.

It is possible to use the commands below to verify.

Check the mobile phone’s time settings as well.

 

# execute time                 <----- check if the date/time is correct
# diagnose system ntp status     <----- check if the NTP servers are reachable

 

Step 3: If there are significant differences in date/time, manually adjust the system time and date. Revert back to the original settings once the test has been done.

 

Also, troubleshoot if the NTP is not synchronized or the NTP servers are unreachable. Refer to the links below:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Troubleshoot-NTP-synchronization-issue/ta-...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-the-system-time/ta-p/192907

 

Step 4: Once the time issues have been resolved, retry logging in using the admin credentials with FortiToken 2FA. Test if the FortiGate can be successfully accessed.

pdelapena_1-1649334985427.png

 

pdelapena_3-1649335767988.png

 

Successful authentication and login to FortiGate

***If the issue still persists, create a TAC ticket for further checking.

Note.

Ensure that before a FortiToken is assigned to an admin user, a backup admin user should be there with a super_admin profile to ensure that the FortiGate can be still accessed in the event that there will be problems with the admin account provisioned with FortiToken Mobile 2FA.

 

Refer to this link to regain access with the admin user due to FortiToken issues if in case it was not done what was mentioned previously.
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Admin-user-lost-FortiToken-Token-is-...

Credits to the creators of the articles used in this link.
FortiGate FortiToken 

Contributors