Managing FortiTokens
This section focuses on the following:
- Resending an activation email
- Locking/unlocking FortiTokens
- Managing FortiTokens drift
- Deactivating FortiTokens
- Moving FortiTokens to another device
Resending an activation email
To resend an activation email/SMS for a mobile token on a FortiGate:
- Go to User & Device > User Definition.
- Double-click on the user to edit.
- Click Send Activation Code Email from the Two-factor Authentication section.
Locking/unlocking FortiTokens
To change FortiToken status to active or to lock using the CLI:
config user fortitoken
edit <token_serial_num>
set status <active | lock>
next
end
A user attempting to log in using a locked FortiToken cannot successfully authenticate.
Managing drift
Managing FortiTokens drift
If the FortiToken has drifted, the following must take place for the FortiToken to resynchronize with FortiOS:
- FortiOS prompts the user to enter a second code to confirm.
- The user gets the next code from the FortiToken. They enter the code at the prompt.
- FortiOS uses both codes to update its clock to match the FortiToken.
If you still experience clock drift, it may be the result of incorrect time settings on your mobile device. If so, make sure that the mobile device clock is accurate by confirming the network time and the correct timezone.
If the device clock is set correctly, the issue could be the result of the FortiGate and FortiTokens being initialized prior to setting an NTP server. This will result in a time difference that is too large to correct with the synchronize function. To avoid this, selected Tokens can be manually drift adjusted.
To show current drift and status for each FortiToken from the CLI:
diagnose fortitoken info
FORTITOKEN DRIFT STATUS
FTK200XXXXXXXXXC 0 token already activated, and seed won't be returned
FTK200XXXXXXXXXE 0 token already activated, and seed won't be returned
FTKMOBXXXXXXXXXA 0 provisioned
FTKMOBXXXXXXXXX4 0 new
Total activated token: 0
Total global activated token: 0
Token server status: reachable
This command lists the serial number and drift for each configured FortiToken. You can check if it is necessary to synchronize the FortiGate and any particular FortiTokens.
To adjust Mobile FortiToken for drift from the CLI:
exec fortitoken sync <FortiToken_ID> <token_code1> <next_token_code2>
Deactivating FortiTokens
To deactivate FortiToken on a FortiGate:
- Go to User & Device > User Definition.
- Select and edit the user for which you want to deactivate the token.
- Disable the Two-factor Authentication toggle.
- Click OK. The token will be removed from the user's Two-factor Authentication column. The user will also be removed from the token's User column under User & Device > FortiTokens.
Moving FortiTokens to another device
FortiTokens can only be activated on a single FortiGate or FortiAuthenticator. To move FortiTokens to another device, you would first have to reset the registered FortiTokens on a device and then reactivate them on another device.
To reset Hard tokens registered to a FortiGate appliance (non-VM model), you can reset all hardware FTK200 tokens from the Support Portal, or during RMA transfer. See the Migrating users and FortiTokens to another FortiGate KB article, for more information.
The above process will reset all Hard tokens and you cannot select individual tokens to reset. |
To reset FortiToken Mobile, a single Hard token, a Hard token registered to a VM, and so on, an administrator must contact Customer Support and/or open a ticket on the Support Portal.
Once reset, the FortiTokens can be activated on another FortiGate or FortiAuthenticator.