Hi,
I got total 100 users with FortiToken Mobile and FortiGate. Now I plan to move to FortiAuthenticator.
Can I move 10 users to FortiAuthenticator and remain 90 users authenticate via Fortigate?
Unfortunately. Token license can be used on one and only one product. You cannot use some of them as fortigate and some of them as an authenticator.
Hello,
Is the token license for 100 tokens or you have multiple licenses? Best Regards,
Alivo
livo
multiple licenses
You can then ask Fortinet Customer Service to move license from one device to another.
Best Regards,
Alivo
livo
.
livo
Tiny bit more clarification ... FortiToken Mobile tokens are bonded to packs .. licenses (min. qty. 5 AFAIK).
Those licenses are then activated from a single device or cluster, and since then bonded to the serial number of device (like FortiGate/FortiAuthenticator) or master of the cluster. Cluster is specific scenario and sort of exception to general licensing model in Forti*.
Because tokens need to be shared across the cluster, therefore cluster master will tell FortiGuard who are cluster members. Because any token management action like assignment to user is authorized through FortiGuard (which is also used as mediator between FortiGate/FortiAuthenticator unit and mobile devices bearing FortiToken Mobile App), then FortiGuard needs to know who is eligible to make admin changes and manage token assignments.
Therefore tokens can be moved by those license packs, and whole packs only, by moving license between units.
Licenses can be stacked.
Therefore if you do have 10 times 10-tokens pack/license (100 in total).
And want to move just some of those.
Then you can move a single 10 tokens pack.
Unfortunately you are not free to move any tokens but all those has to be from same pack/license.
GUI or CLI will tell you license number for every individual token (for example):
<code> C3 # show user fortitoken config user fortitoken edit "FTKMOB121D29EDD2" set license "FTMTRIAL090E76B9" next edit "FTKMOB12CE85AB07" set license "FTMTRIAL090E76B9" next end
</code>
However, as you mentioned you are going to move those tokens to FortiAuthenticator. Then how about to move them all? With users. And set your FortiGate to use that FortiAuthenticator, let's say as RADIUS server and so set RADIUS Client and policy on that FortiAuthenticator to handle the tokens from that central point.
Because this is another way how to split FortiToken Mobile license, even one by one. Simply by putting all the tokens to a FortiAuthenticator and then assigning tokens to separate users, which could then be split across multiple RADIUS Clients, like FortiGates (or even 3rd party if those are capable of handling standard RADIUS Access-Challenge handshake), so you can have 3 users/admins on one FortiGate, 7 others somewhere else .. no matter if those are from the very same 10 tokens pack, because they are on FortiAuthenticator as single device and split later by config, not affected by license-on-single-point model.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Thank you @xsilver_FTNT for the great explanation on this topic. Is it the same for physical tokens? Can they also not be split up like you mentioned above for mobile tokens?
Thank you @xsilver_FTNT for the great explanation on this topic. Is it the same for hardware tokens? Not being able to be split up?
Hardware tokens are similar (license-based, per pack). With one exception: they must be reset in FortiGuard system by a support engineer before you can associate them with another unit (FTK200).
FTK220 (tokens with the seed on CD), the 'reset' is not needed, but you must add the token seed manually in the new unit.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.