|
To move the hardware tokens from one firewall to another submit a request to the TAC team. Once the tokens are migrated it is possible to try to import the token onto the new firewall with a license file.
Once the tokens are imported on the new firewall, they should be available to assign to the user lists. After assigning the tokens to the user if they are not able to use the token for MFA or if it is giving the error for invalid token then it is necessary to check the following things.
Run the fnbamd debug on the firewall to confirm the error with tokens:
di de application fnbamd -1
di de en
---- try to login with hardware token ----
di de di
Check the debug file to confirm the error message and it might give the below error message:
024-03-18 08:14:45 [2048] handle_req-Rcvd auth_token rsp for req xxxxxx
2024-03-18 08:14:45 [2097] handle_req-Check token '100' with user 'tes'
2024-03-18 08:14:45 [2116] handle_req-Verify(user=p00317 vdom=root token_code=100) returns -30113
2024-03-18 08:14:45 [2167] handle_req-Token check failed, result -30113
This will confirm that the token is assigned to the user but not activated properly. To confirm run the command 'diagnose fortitoken info' as that will show the list of tokens imported to the firewall and their status.
FORTITOKEN DRIFT STATUS
FTK2000000000 0 new
Status should be activated to the token assigned to the user if it is showing an error try re-importing the token. If the status is showing new then run the below command to activate the token.
exe fortitoken activate <FTK serial number>
Re-run the command to check the status and it should change the status to active.
FORTITOKEN DRIFT STATUS
FTK2000000000 0 active
Once it shows the correct status, try testing with the user and there should not be any further errors concerning MFA.
|
