Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
technician
New Contributor

Two Factor Authentication

Hi, we recently purchased a Fortigate 61E and part of the project was to have Fortitoken for two factor authenticaton. The Tokens were already imported by the vendor, so basically I see them under 

 

User and Device > FortiTokens

 

I followed the instructions on the Token document, a PDF file included are the serial, token activation, etc, so It says on that is to create a user, send the activation via SMS or email but I chose SMS. On my iphone I downloaded the FortiMobile to activate it. I can now see the generated token after a minute I think. 

 

My question is, is this the token for SSL VPN? or is this the token whenever I want my account/username to access the GUI page of the Fortigate? Sorry kind of confuse. I tried to enable 2Factor on the account under administrators (account in accessing FW GUI) but it didn't work. 

 

I'm not sure what I'm doing wrong here. I checked the FortiTokens tab again and it shows me the serial of the token and next to that is the status which is 'pending' and the username I created. 

 

Thanks

Jeff

1 REPLY 1
xsilver_FTNT
Staff
Staff

from your text I guess you are talking about FortiAToken Mobile (there are 4 other models of FortiTokens).

 

Pending means usually that there is some unfinished action, like activation.

So tokens were probably correctly added into the FGT but not activated on mobile device, or this activation on mobile device was not propagated back to FGT.

Check network connectivity especially reachability bellow mentioned URLs .. 

 

## get general info about the system get system status get system dns exec ping fds1.fortinet.com exec ping directregistration.fortinet.com show sys central show full sys central

## 2. ## current status check diag fortitoken info show user fortitoken show full | grep -f FTK

## 3. ## turn on debug diag debug reset diag debug console time en diag debug app forticldd 255 diag fortitoken debug enable diag debug en diag debug info

## 4. test assign token to the user and activate the token from mobile device, let the debug running for at least 10 minutes after activation attempt

## 5. ## turn off debug diag debug reset diag debug disable diag fortitoken debug disable diag debug info

 

 

Above should answer the question where is the issue. Network, DNS, Token, Mobile Device ?

 

To the other part, yes, token can be used by either user or admin account to authenticate. It's second factor of authentication, mandatory complement to clasic credentials of username and password. It is supposed to work for end users to authenticate to captive portals, SSL/IPSEC VPNs etc. Or admin users to access FGT GUI and CLI.

One token per user. Token cannot be assigned to more than one account user or admin.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors