Fortinet black logo

Cookbook

Managing FortiTokens

Copy Link
Copy Doc ID 5be0d1a4-3f0d-11eb-96b9-00505692583a:993411
Download PDF

Managing FortiTokens

This section focuses on the following:

Resending an activation email

To resend an activation email/SMS for a mobile token on a FortiGate:
  1. Go to User & Device > User Definition.
  2. Double-click on the user to edit.
  3. Click Send Activation Code Email from the Two-factor Authentication section.

Locking/unlocking FortiTokens

To change FortiToken status to active or to lock using the CLI:

config user fortitoken

edit <token_serial_num>

set status <active | lock>

next

end

A user attempting to log in using a locked FortiToken cannot successfully authenticate.

Managing drift

Managing FortiTokens drift

If the FortiToken has drifted, the following must take place for the FortiToken to resynchronize with FortiOS:
  1. FortiOS prompts the user to enter a second code to confirm.
  2. The user gets the next code from the FortiToken. They enter the code at the prompt.
  3. FortiOS uses both codes to update its clock to match the FortiToken.

If you still experience clock drift, it may be the result of incorrect time settings on your mobile device. If so, make sure that the mobile device clock is accurate by confirming the network time and the correct timezone.

If the device clock is set correctly, the issue could be the result of the FortiGate and FortiTokens being initialized prior to setting an NTP server. This will result in a time difference that is too large to correct with the synchronize function. To avoid this, selected Tokens can be manually drift adjusted.

To show current drift and status for each FortiToken from the CLI:

diagnose fortitoken info

FORTITOKEN DRIFT STATUS

FTK200XXXXXXXXXC 0 token already activated, and seed won't be returned

FTK200XXXXXXXXXE 0 token already activated, and seed won't be returned

FTKMOBXXXXXXXXXA 0 provisioned

FTKMOBXXXXXXXXX4 0 new

Total activated token: 0

Total global activated token: 0

Token server status: reachable

This command lists the serial number and drift for each configured FortiToken. You can check if it is necessary to synchronize the FortiGate and any particular FortiTokens.

To adjust Mobile FortiToken for drift from the CLI:

exec fortitoken sync <FortiToken_ID> <token_code1> <next_token_code2>

Deactivating FortiTokens

To deactivate FortiToken on a FortiGate:
  1. Go to User & Device > User Definition.
  2. Select and edit the user for which you want to deactivate the token.
  3. Disable the Two-factor Authentication toggle.
  4. Click OK. The token will be removed from the user's Two-factor Authentication column. The user will also be removed from the token's User column under User & Device > FortiTokens.

Moving FortiTokens to another device

FortiTokens can only be activated on a single FortiGate or FortiAuthenticator. To move FortiTokens to another device, you would first have to reset the registered FortiTokens on a device and then reactivate them on another device.

To reset Hard tokens registered to a FortiGate appliance (non-VM model), you can reset all hardware FTK200 tokens from the Support Portal, or during RMA transfer. See the Migrating users and FortiTokens to another FortiGate KB article, for more information.

Note

The above process will reset all Hard tokens and you cannot select individual tokens to reset.

To reset FortiToken Mobile, a single Hard token, a Hard token registered to a VM, and so on, an administrator must contact Customer Support and/or open a ticket on the Support Portal.

Once reset, the FortiTokens can be activated on another FortiGate or FortiAuthenticator.

Managing FortiTokens

This section focuses on the following:

Resending an activation email

To resend an activation email/SMS for a mobile token on a FortiGate:
  1. Go to User & Device > User Definition.
  2. Double-click on the user to edit.
  3. Click Send Activation Code Email from the Two-factor Authentication section.

Locking/unlocking FortiTokens

To change FortiToken status to active or to lock using the CLI:

config user fortitoken

edit <token_serial_num>

set status <active | lock>

next

end

A user attempting to log in using a locked FortiToken cannot successfully authenticate.

Managing drift

Managing FortiTokens drift

If the FortiToken has drifted, the following must take place for the FortiToken to resynchronize with FortiOS:
  1. FortiOS prompts the user to enter a second code to confirm.
  2. The user gets the next code from the FortiToken. They enter the code at the prompt.
  3. FortiOS uses both codes to update its clock to match the FortiToken.

If you still experience clock drift, it may be the result of incorrect time settings on your mobile device. If so, make sure that the mobile device clock is accurate by confirming the network time and the correct timezone.

If the device clock is set correctly, the issue could be the result of the FortiGate and FortiTokens being initialized prior to setting an NTP server. This will result in a time difference that is too large to correct with the synchronize function. To avoid this, selected Tokens can be manually drift adjusted.

To show current drift and status for each FortiToken from the CLI:

diagnose fortitoken info

FORTITOKEN DRIFT STATUS

FTK200XXXXXXXXXC 0 token already activated, and seed won't be returned

FTK200XXXXXXXXXE 0 token already activated, and seed won't be returned

FTKMOBXXXXXXXXXA 0 provisioned

FTKMOBXXXXXXXXX4 0 new

Total activated token: 0

Total global activated token: 0

Token server status: reachable

This command lists the serial number and drift for each configured FortiToken. You can check if it is necessary to synchronize the FortiGate and any particular FortiTokens.

To adjust Mobile FortiToken for drift from the CLI:

exec fortitoken sync <FortiToken_ID> <token_code1> <next_token_code2>

Deactivating FortiTokens

To deactivate FortiToken on a FortiGate:
  1. Go to User & Device > User Definition.
  2. Select and edit the user for which you want to deactivate the token.
  3. Disable the Two-factor Authentication toggle.
  4. Click OK. The token will be removed from the user's Two-factor Authentication column. The user will also be removed from the token's User column under User & Device > FortiTokens.

Moving FortiTokens to another device

FortiTokens can only be activated on a single FortiGate or FortiAuthenticator. To move FortiTokens to another device, you would first have to reset the registered FortiTokens on a device and then reactivate them on another device.

To reset Hard tokens registered to a FortiGate appliance (non-VM model), you can reset all hardware FTK200 tokens from the Support Portal, or during RMA transfer. See the Migrating users and FortiTokens to another FortiGate KB article, for more information.

Note

The above process will reset all Hard tokens and you cannot select individual tokens to reset.

To reset FortiToken Mobile, a single Hard token, a Hard token registered to a VM, and so on, an administrator must contact Customer Support and/or open a ticket on the Support Portal.

Once reset, the FortiTokens can be activated on another FortiGate or FortiAuthenticator.