Hi,
I got total 100 users with FortiToken Mobile and FortiGate. Now I plan to move to FortiAuthenticator.
Can I move 10 users to FortiAuthenticator and remain 90 users authenticate via Fortigate?
Hi FortiTinker,
Hardware token models are sold in packs, but they do bare their own serial numbers and are independent units !
Therefore you can add and activate them on FortiGate via list of Serial Numbers (for example from purchase/delivery documents or made one manually) as a bulk operation.
But you can also add them one by one in FortiGate / GUI / User & Authentication / Fortitokens. Or in FortiAuthenticator. And split the purchased pack as you want. They are NOT bonded by any 'license' at all.
Bare in mind that every single HW FortiToken can be activated on one device only!
As "One-time Activation Lock" is then applied by FortiGuard (used by FortiGate/FortiAuthenticator for activation of the token) to protect "seed" which is ultra sensitive part of the token computation algorithm.
However same HW (in contrast to SW) token can be added and re-activated to multiple devices. But One-time Activation Lock has to be released first, and Fortinet's TAC support can help you with this via Technical Ticket.
Such re-activation does not affect performance and usability of the token on previous device. After lock release you, again, have just one activation attempt during which token seed will be locked again.
Lock applies during activation attempt and prevent any re-activation, even if it would be tried from very same FortiGate/FortiAuthenticator unit!
This lock does NOT apply to CD models as their seeds are delivered WITH tokens and are not stored anywhere online. Therefore activation of CD tokens is solely local task, and so those are solution for having tokens in "walled-garden" internal places where you would not be able to activate tokens as your device is not allowed to reach out even to FortiGuard).
Alternative to having HW tokens re-activated on multiple devices is to use centralized authentication via FortiAuthenticator. Having users and tokens on one place and for example via RADIUS from FortiGate authorize users through FortiAuthenticator.
Alternative to central management of HW tokens can be FortiToken Cloud.
This applies to HW models using TOTP (so FortiToken 300 {HW as well} are excluded).
Models we talk about:
- FortiToken 200 (older one EOS)
- FortiToken 200B (successor of 200 model)
- FortiToken 220
- respective "CD" variants of above so for example FortiToken 200BCD
More on Tokens in Data Sheet:
https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/fortitoken.pdf
More on IAM (Identity and Access Management):
https://www.fortinet.com/products/identity-access-management
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.