Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiConnect
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDB
- FortiDDoS
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiWebCloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: FortiAuthenticator offline authentication toke...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiAuthenticator offline authentication token issue
Hello
We have FAC version 6.4.9, with Windows agent version 4.3, 2FA with FortiToken mobile.
While online authentication works just fine, sometimes some users fail to login when they open a Windows session in offline mode (disconnected from the Corp network). The error shown on Windows login screen is user and password incorrect with "Offline Tokens: None Available".
As this behavior appears from time to time it becomes a real issue, especially when the user is offsite as we can't assist him.
Any hint to fix or troubleshoot the issue would be appreciated.
AEK
AEK
Labels:
- Labels:
-
FortiAuthenticator
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @AEK
In case of this user using offline token , l would suggest to delete offline token for this user from FAC Agent- Simulation Tab there is an option to delete these file of offline token downloaded on this PC.
Then the user need to login on local network first ,an new list of offline token will be downloaded automatically from FAC to end user PC and then you can test it again to login using offline token.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Braha, and thanks for your feedback.
Actually we could fix the issue in a simple way just by disabling the offline authentication on the Windows agent, then enabling it again.
Actually this is a workaround and it works, however the problem is that when user is offsite and can't connect due to this issue then it is difficult to assist him and sometimes not even possible, so we are trying to find a good solution that will prevent such behavior to happen once for all.
Meanwhile and besides, any quick & secure workaround is welcome. I'm think about enabling emergency code (or other good temporary solution), however I'm wondering how secure is this solution comparing with TOTP token and what is the best practice for it.
Any further advice would be appreciated.
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
By default this file is save in the following path: C:\Program Files\Fortinet\FortiAuthenticator Agent\Offline\ and its valid for 7 days but can be increased on FAC side but for some reason when user authenticate using one token and which is compared with this list it may fail, so this token code it may be not in this list.
That's why l asked to delete this file and logout/login from PC in a local network will download automatically another list from FAC.
Regarding Emergency token it is secure but it can only used on cases when user does not have access to his phone but l think cannot be used every day.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Braha for your valuable advice.
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To clarify a bit on Emergency token:
- this can be enabled in a user account on FortiAuthenticator
- this sends an Email or SMS one time (with a code) if the user reports the token lost or otherwise unusable
- the Emergency token is automatically disabled after one use, so it cannot be abused to get around the actual token requirement
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We finally found that the issue was caused by a couple of misconfigurations:
- Upgraded the Windows agent from 4.3 to 5.3
- Some users had their mobile phone not synchronized with NTP server -> This one has been fixed just by enabling auto date/time on the phone
- One user had the character "ç" in his username. TAC support said it not supported for offline token -> We had to migrate his domain account to a new one without "ç" character
AEK
AEK
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- TACACS+ Not Reading User Group for... 128 Views
- Can I implement OWA MFA using... 227 Views
- What FortiOS Event Logs should i... 897 Views
- FortiAuthenticator Create multiple realm "host" to... 467 Views
- How to Configure FortiAuthenticator as RADIUS... 289 Views
Labels
-
FortiGate
8,101 -
FortiClient
1,628 -
5.2
801 -
FortiManager
683 -
5.4
639 -
FortiAnalyzer
519 -
FortiSwitch
429 -
FortiAP
429 -
6.0
416 -
FortiClient EMS
366 -
5.6
362 -
FortiMail
302 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
189 -
SSL-VPN
180 -
FortiNAC
164 -
IPsec
155 -
6.4
128 -
FortiGuard
126 -
FortiGateCloud
98 -
FortiSIEM
94 -
FortiCloud Products
94 -
SD-WAN
91 -
FortiToken
86 -
Customer Service
74 -
Wireless Controller
74 -
FortiAuthenticator
71 -
4.0MR3
64 -
Firewall policy
59 -
FortiProxy
53 -
Fortivoice
50 -
FortiEDR
50 -
FortiADC
49 -
FortiExtender
43 -
VLAN
42 -
FortiDNS
41 -
High Availability
41 -
FortiSandbox
39 -
ZTNA
37 -
FortiGate v5.4
35 -
Routing
35 -
DNS
34 -
LDAP
34 -
FortiSwitch v6.4
33 -
BGP
32 -
SAML
31 -
Interface
30 -
Certificate
30 -
SSO
27 -
NAT
27 -
FortiConnect
26 -
FortiConverter
25 -
Authentication
25 -
FortiWAN
24 -
RADIUS
24 -
FortiLink
24 -
FortiGate v5.2
23 -
VDOM
23 -
Application control
21 -
Web profile
21 -
Virtual IP
20 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
Logging
18 -
Traffic shaping
17 -
FortiPAM
17 -
FortiMonitor
16 -
FortiDDoS
15 -
FortiGate v5.0
14 -
SSL SSH inspection
14 -
OSPF
13 -
FortiCASB
12 -
SSID
12 -
Admin
12 -
IP address management - IPAM
12 -
FortiManager v5.0
11 -
Automation
11 -
Static route
11 -
WAN optimization
11 -
Web application firewall profile
11 -
FortiSOAR
10 -
FortiRecorder
10 -
SNMP
10 -
System settings
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiManager v4.0
9 -
FortiWeb v5.0
9 -
FortiAP profile
9 -
FortiBridge
8 -
RMA Information and Announcements
8 -
IPS signature
8 -
Proxy policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
Security profile
7 -
Traffic shaping policy
7 -
Port policy
7 -
FortiCache
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Intrusion prevention
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Fabric connector
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiDeceptor
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Antivirus profile
4 -
Traffic shaping profile
4 -
Application signature
4 -
DLP sensor
4 -
Email filter profile
4 -
Netflow
4 -
Web rating
4 -
FortiDB
3 -
FortiHypervisor
3 -
Explicit proxy
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Replacement messages
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
API
2 -
FortiNDR
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
Schedule
2 -
Service
2 -
Zone
2 -
Cloud Management Security
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
SDN connector
1 -
Multicast policy
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1529 | |
| 1027 | |
| 749 | |
| 443 | |
| 209 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.