Help
FortiToken
FortiToken Mobile is an application for iOS or Android that acts like a hardware token but utilizes hardware the majority of users possess, a mobile phone.
dalon
Staff
Staff

Created on ‎06-05-2015 03:09 AM Edited on ‎09-16-2024 04:50 AM By Staff

Article Id 194508

Technical Tip: FortiToken basic troubleshooting

Description

This article describes the first steps to take in case of FortiToken activation failure.
If the configuration has been migrated from another unit, the tokens will not work unless they are completely removed first, and then re-imported.
 
Scope
FortiGate.


Solution

 

Step 1: General view:
 
exec ping fds1.fortinet.com
exec ping directregistration.fortinet.com
show system central-management
 
The above servers must be reachable from FortiGate CLI.
When a FortiManager manages the system, skip the next steps as the tokens should be provided by FortiManager itself.

Step 2: Current status check:
 
diag fortitoken info
diag test application forticldd 7
show user fortitoken
 

Step 3: Run the following command:

 
show full | grep -f FTK
 
  1. If the token has the 'set seed...' displayed in 'show user', but it shows an error in 'fortitoken info', delete this FortiToken first.
  2. If the token is displayed without the "set seed...", line can be activated as in step 5b.

Step 4: Turn on activation debugging:

 
diag debug reset
diag debug console time en
diag debug app forticldd 255
diag fortitoken debug enable
diag debug enable
diag debug info
 
FortiToken 200 is activated through the FortiGuard network and is locked upon first activation (one-time activation lock). If the Tokens lock was released recently, there is only one chance to activate and catch an error if an issue occurs.

Step 5a: If the token was deleted as per step 3a., run only this command (and skip the activation):
 
config user fortitoken
    edit <FortiTokenSN>
end 
 
Step 5b: Otherwise, activate it:
 
exec fortitoken activate <FortiTokenSN>
diag fortitoken info | grep -v active 
 
All tokens should be active and should have the seed in config:
 
diag fortitoken info
show user fortitoken
disable debug
diag debug reset
diag debug disable
 
To verify whether the FortiToken activation code is sending or not, collect the below command output:
 
sh system email-server
diag debug reset
diag debug appl alertmail -1
diag debug enable
 
After initiating the above commands, then select 'Send Activation Code' under User&Authentication -> User Definition -> Edit the user.
 
Related articles
58052
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.