Technical Tip: Troubleshooting FortiToken Cloud tokens assigned to users on FortiPAM

Description

This article describes how to troubleshoot FortiToken Cloud tokens with local/remote users in FortiPAM.

Scope

FortiPAM, FortiToken Cloud.

Solution

In order to use 2FA for a user in FortiPAM with FortiToken Cloud, both devices should be added under the same account on the portal: https://support.fortinet.com/welcome/#/

See Technical Tip: Fortinet Support Portal for Product Registration, Contract Registration, Ticket Manag... for steps on how to register products on the portal. 

On FortiPAM, configure the local user and assign FTC after enabling Two-Factor Authentication:

Go to User Management -> User List -> Create New.

Figure 1. Creating local user in FortiPAM

The activation code will be sent through an email specified under the created account.

From the email received, scan the QR code and register it in the FortiTokenMobile application on the corresponding mobile phone.

After FortiToken Cloud is registered for this local user, it will be listed on FortiToken Cloud with the registered status.

Figure 3. Status of token registered on FortiToken Cloud.

Try to authenticate with this user accessing FortiPAM GUI and open a separate PuTTY session, then run the following debug commands on the FortiPAM CLI.

diagnose wad debug enable category auth

diagnose wad debug enable category http

diagnose debug enable

Figure 4. Testing user credentials and approving token.

Figure 5. Debug logs authentication successful..

Logs confirm this authentication was successful on FortiToken Cloud (ftc.fortinet.com) under Logs -> Authentication.

Figure 6. User authenticated successfully on FortiToken Cloud.

In the event of remote users using FortiAuthenticator, the same steps needs to be followed using this documentation.