Fortinet black logo

Administration Guide

Configuring FortiTokens

Configuring FortiTokens

Configuring FortiTokens consists of the following steps:

  1. Add FortiTokens to FortiOS.
  2. Activate FortiTokens.
  3. Associate FortiTokens with user accounts.

Adding FortiTokens to FortiOS

You can add FortiTokens to FortiOS in the following ways:

Caution

FortiToken Mobile and physical FortiTokens store their encryption seeds on the cloud. You can only register them to a single FortiGate or FortiAuthenticator.

Because FortiToken-200CD seed files are stored on the CD, you can register these tokens on multiple FortiGates and/or FortiAuthenticators, but not simultaneously.

To manually add single FortiTokens to FortiOS:
  1. Go to User & Authentication > FortiTokens.
  2. Click Create New.
  3. For Type, select Hard Token or Mobile Token.
  4. In the Serial Number field, enter one or more FortiToken serial numbers (for hard tokens) or activation codes (for mobile tokens). FortiToken Mobile activation codes are included in the license certificate after you purchase a license. FortiOS includes a license for two mobile tokens.
  5. Click OK.
To add multiple FortiTokens to FortiOS using the CLI:

config user fortitoken

edit <serial_number>

next

edit <serial_number2>

next

end

To import multiple FortiTokens to FortiOS using the GUI:
  1. Go to User & Authentication > FortiTokens.
  2. Click Create New.
  3. For Type, select Hard Token.
  4. Click Import.
  5. Select Serial Number File or Seed File.
  6. Click Upload.
  7. Browse to the file's location on your local machine, select the file, then click OK.
  8. Click OK.
To import multiple FortiTokens to FortiOS from an external source using the CLI:

You can import physical and mobile FortiToken seed files from a FTP or TFTP server or USB drive.

execute fortitoken import ftp <file name> <ip>[:ftp port] <Enter> <user> <password>

execute fortitoken import tftp <file name> <ip>

execute fortitoken import usb <file name>

Note

To import FortiToken Mobile seed files, replace fortitoken with fortitoken-mobile.

Activating FortiTokens

You must activate the FortiTokens. During activation, FortiOS queries FortiGuard servers about each FortiToken's validity. FortiOS encrypts the serial number and information before sending for added security. FortiOS requires connection to FortiGuard servers for FortiToken activation.

To activate a FortiToken using the GUI:
  1. Go to User & Authentication > FortiTokens.
  2. Select the desired FortiTokens that have an Available status.
  3. Right-click the FortiToken entry, then select Activate.
  4. Click Refresh. The selected FortiTokens' statuses change to Activated.
To activate a FortiToken using the CLI:

config user fortitoken

edit <token_serial_num>

set status activate

next

end

Associating FortiTokens with user accounts

You can associate FortiTokens with local user or administrator accounts.

To associate a FortiToken to a local user account using the GUI:
  1. Ensure that you have successfully added your FortiToken serial number to FortiOS and that its status is Available.
  2. Go to User & Authentication > User Definition. Edit the desired user account.
  3. In the Email Address field, enter the user's email address.
  4. Enable Two-factor Authentication.
  5. From the Token dropdown list, select the desired FortiToken serial number.
  6. Click OK.
Note

For a mobile token, click Send Activation Code to send the activation code to the configured email address. The user uses this code to activate their mobile token. You must have configured an email service in System > Settings to send the activation code.

To associate a FortiToken to a local user account using the CLI:

config user local

edit <username>

set type password

set passwd "myPassword"

set two-factor fortitoken

set fortitoken <serial_number>

set email-to "username@example.com"

set status enable

next

end

To associate a FortiToken to an administrator account using the GUI:
  1. Ensure that you have successfully added your FortiToken serial number to FortiOS and that its status is Available.
  2. Go to System > Administrators. Edit the admin account. This example assumes that the account is fully configured except for two-factor authentication.
  3. In the Email Address field, enter the administrator's email address.
  4. Enable Two-factor Authentication.
  5. From the Token dropdown list, select the desired FortiToken serial number.
  6. Click OK.
Note

For a mobile token, click Send Activation Code to send the activation code to the configured email address. The admin uses this code to activate their mobile token. You must have configured an email service in System > Settings to send the activation code.

To associate a FortiToken to an administrator account using the CLI:

config system admin

edit <username>

set password "myPassword"

set two-factor fortitoken

set fortitoken <serial_number>

set email-to "username@example.com"

next

end

The fortitoken keyword is not visible until you select fortitoken for the two-factor option.

Note

Before you can use a new FortiToken, you may need to synchronize it due to clock drift.

Configuring FortiTokens

Configuring FortiTokens consists of the following steps:

  1. Add FortiTokens to FortiOS.
  2. Activate FortiTokens.
  3. Associate FortiTokens with user accounts.

Adding FortiTokens to FortiOS

You can add FortiTokens to FortiOS in the following ways:

Caution

FortiToken Mobile and physical FortiTokens store their encryption seeds on the cloud. You can only register them to a single FortiGate or FortiAuthenticator.

Because FortiToken-200CD seed files are stored on the CD, you can register these tokens on multiple FortiGates and/or FortiAuthenticators, but not simultaneously.

To manually add single FortiTokens to FortiOS:
  1. Go to User & Authentication > FortiTokens.
  2. Click Create New.
  3. For Type, select Hard Token or Mobile Token.
  4. In the Serial Number field, enter one or more FortiToken serial numbers (for hard tokens) or activation codes (for mobile tokens). FortiToken Mobile activation codes are included in the license certificate after you purchase a license. FortiOS includes a license for two mobile tokens.
  5. Click OK.
To add multiple FortiTokens to FortiOS using the CLI:

config user fortitoken

edit <serial_number>

next

edit <serial_number2>

next

end

To import multiple FortiTokens to FortiOS using the GUI:
  1. Go to User & Authentication > FortiTokens.
  2. Click Create New.
  3. For Type, select Hard Token.
  4. Click Import.
  5. Select Serial Number File or Seed File.
  6. Click Upload.
  7. Browse to the file's location on your local machine, select the file, then click OK.
  8. Click OK.
To import multiple FortiTokens to FortiOS from an external source using the CLI:

You can import physical and mobile FortiToken seed files from a FTP or TFTP server or USB drive.

execute fortitoken import ftp <file name> <ip>[:ftp port] <Enter> <user> <password>

execute fortitoken import tftp <file name> <ip>

execute fortitoken import usb <file name>

Note

To import FortiToken Mobile seed files, replace fortitoken with fortitoken-mobile.

Activating FortiTokens

You must activate the FortiTokens. During activation, FortiOS queries FortiGuard servers about each FortiToken's validity. FortiOS encrypts the serial number and information before sending for added security. FortiOS requires connection to FortiGuard servers for FortiToken activation.

To activate a FortiToken using the GUI:
  1. Go to User & Authentication > FortiTokens.
  2. Select the desired FortiTokens that have an Available status.
  3. Right-click the FortiToken entry, then select Activate.
  4. Click Refresh. The selected FortiTokens' statuses change to Activated.
To activate a FortiToken using the CLI:

config user fortitoken

edit <token_serial_num>

set status activate

next

end

Associating FortiTokens with user accounts

You can associate FortiTokens with local user or administrator accounts.

To associate a FortiToken to a local user account using the GUI:
  1. Ensure that you have successfully added your FortiToken serial number to FortiOS and that its status is Available.
  2. Go to User & Authentication > User Definition. Edit the desired user account.
  3. In the Email Address field, enter the user's email address.
  4. Enable Two-factor Authentication.
  5. From the Token dropdown list, select the desired FortiToken serial number.
  6. Click OK.
Note

For a mobile token, click Send Activation Code to send the activation code to the configured email address. The user uses this code to activate their mobile token. You must have configured an email service in System > Settings to send the activation code.

To associate a FortiToken to a local user account using the CLI:

config user local

edit <username>

set type password

set passwd "myPassword"

set two-factor fortitoken

set fortitoken <serial_number>

set email-to "username@example.com"

set status enable

next

end

To associate a FortiToken to an administrator account using the GUI:
  1. Ensure that you have successfully added your FortiToken serial number to FortiOS and that its status is Available.
  2. Go to System > Administrators. Edit the admin account. This example assumes that the account is fully configured except for two-factor authentication.
  3. In the Email Address field, enter the administrator's email address.
  4. Enable Two-factor Authentication.
  5. From the Token dropdown list, select the desired FortiToken serial number.
  6. Click OK.
Note

For a mobile token, click Send Activation Code to send the activation code to the configured email address. The admin uses this code to activate their mobile token. You must have configured an email service in System > Settings to send the activation code.

To associate a FortiToken to an administrator account using the CLI:

config system admin

edit <username>

set password "myPassword"

set two-factor fortitoken

set fortitoken <serial_number>

set email-to "username@example.com"

next

end

The fortitoken keyword is not visible until you select fortitoken for the two-factor option.

Note

Before you can use a new FortiToken, you may need to synchronize it due to clock drift.