Description
This article describes how to troubleshoot the ‘Authentication failure’ issue upon accessing FortiGate with 2FA (FortiToken Mobile) due to the wrong date/time and/or NTP problems in FortiGate.
Scope
FortiGate and FortiToken.
Solution
For this specific issue, about the ‘Authentication failure’ error that is being experienced upon trying to access the FortiGate with 2FA using an admin user that has a successfully provisioned FortiToken even if the correct username, password, and FortiToken code is inputted.
This is due to the wrong date/time and/or NTP issues in FortiGate.
This can also be observed if the mobile phone's time settings are incorrect.
Troubleshooting.
Step 1: Using the backup admin account, verify if the FortiToken was successfully provisioned to the other admin user with problems.
FGT # diagnose fortitoken info
FORTITOKEN DRIFT STATUS
FTKMOBxxxxxxxxxx 0 new
FTKMOBxxxxxxxxxx 0 provisioned <----- successfully provisioned (admin2)
FGT # show system admin admin2
config system admin
edit "admin2"
set accprofile "super_admin"
set vdom "root"
set two-factor fortitoken
set fortitoken "FTKxxxxxxxxxxxxx"
set email-to example@email.com
set password ENC SH2ZPWyfet4C9kUh3wgvF8XKEA8Ih+TeSf7hyaJndBvM=
next
end
FGT # show system admin admin2
config user fortitoken
edit " FTKxxxxxxxxxxxxx "
set license "FTMTRIALxxxxxxxx"
set activation-code "EEIP6SGPPW3DH3LW"
set activation-expire 1649933251
set reg-id "da9e054e88abad068c4664c7e4b706b490ad4990d085dfe4"
set os-ver "5.4.2_IOS"
next
Step 2: Check if the FortiGate’s time was synced a long time ago or the NTP have problems.
It is possible to use the commands below to verify.
Check the mobile phone’s time settings as well.
# execute time <----- check if the date/time is correct
# diagnose system ntp status <----- check if the NTP servers are reachable
Step 3: If there are significant differences in date/time, manually adjust the system time and date. Revert back to the original settings once the test has been done.
Also, troubleshoot if the NTP is not synchronized or the NTP servers are unreachable. Refer to the links below:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Troubleshoot-NTP-synchronization-issue/ta-...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-the-system-time/ta-p/192907
Step 4: Once the time issues have been resolved, retry logging in using the admin credentials with FortiToken 2FA. Test if the FortiGate can be successfully accessed.
Successful authentication and login to FortiGate
***If the issue still persists, create a TAC ticket for further checking.
Note.
Ensure that before a FortiToken is assigned to an admin user, a backup admin user should be there with a super_admin profile to ensure that the FortiGate can be still accessed in the event that there will be problems with the admin account provisioned with FortiToken Mobile 2FA.
Refer to this link to regain access with the admin user due to FortiToken issues if in case it was not done what was mentioned previously.
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Admin-user-lost-FortiToken-Token-is-...
Credits to the creators of the articles used in this link.
FortiGate FortiToken
