When checking the SSL VPN/IKE debugs, the logs will show 'Token check failed' even though the user is authenticated successfully using RADIUS/LDAP:

2025-06-24 12:55:03 [2354] handle_req-Token check failed, result -30113
2025-06-24 12:55:03 [755] __ldap_destroy-
2025-06-24 12:55:03 2025-06-24 12:55:03 [3431:root:bee]2025-06-24 12:55:03 [755] __ldap_destroy-
fam_auth_proc_resp:1371 fnbam_auth_update_result return: 1 (invalue username/password)
2025-06-24 12:55:03 [755] __ldap_destroy-
2025-06-24 12:55:03 2025-06-24 12:55:03 [3431:root:bee][fam_auth_proc_resp:1472] Authenticated groups (22) by FNBAM with auth_type (16):
2025-06-24 12:55:03 [1086] fnbamd_ext_idps_destroy-
.
2025-06-24 12:55:03 [3431:root:bee]login_failed:405 user[test.user],auth_type=16 failed [sslvpn_login_permission_denied]

'Token check failed' usually indicates the FortiToken is not activated.

• The output of the FortiToken shows the status as 'Provisioning' instead of 'Provisioned'.
  
  

diagnose fortitoken info

FORTITOKEN DRIFT STATUS
FTKMOBXXXXXXXXXX 0 Provisioning <----- This should be 'Provisioned'.

• Deactivation and assignment of another FortiToken to the user fixes this problem.

To deactivate a FortiToken for the user, see Deactivating a FortiToken - FortiToken documentation.

To assign FortiToken to a user:

To assign FortiToken to a local user via CLI:

   config user local

       edit test_user  -----------------> Set username.

           set passwd test1243 ---------------> Set a strong user password.

           set two-factor fortitoken

           set fortitoken FTKMOBXXXXXXXXXX   ----------> Hit tab, the available token will populate.

           set email-to test_user@test.org   ---------------> Enter user email.

           set status enable

   end