Fortinet black logo

Administration Guide

Registering hard tokens

Registering hard tokens

Registering FortiTokens consists of the following steps:

  1. Adding FortiTokens to FortiOS.
  2. Activating FortiTokens.
  3. Associating FortiTokens with user accounts.

Adding FortiTokens to FortiOS

You can add FortiTokens to FortiOS in the following ways:

To manually add single hard token to FortiOS using the GUI:
  1. Go to User & Authentication > FortiTokens.
  2. Click Create New.
  3. For Type, select Hard Token.
  4. In the Serial Number field, enter one or more FortiToken serial numbers.
  5. Click OK.

To add multiple FortiTokens to FortiOS using the CLI:

config user fortitoken

edit <serial_number>

next

edit <serial_number2>

next

end

To import multiple FortiTokens to FortiOS using the GUI:
  1. Go to User & Authentication > FortiTokens.
  2. Click Create New.
  3. For Type, select Hard Token.
  4. Click Import. The Import Tokens section slides in on the screen.

  5. Select Serial Number File.
    Note

    Seed files are only used with FortiToken-200CD. These are special hardware tokens that come with FortiToken seeds on a CD. See the FortiToken Comprehensive Guide for details.

  6. Click Upload.
  7. Browse to the file's location on your local machine, select the file, then click OK.
  8. Click OK.

Activating FortiTokens

You must activate the FortiTokens before starting to use them. FortiOS requires connection to FortiGuard servers for FortiToken activation. During activation, FortiOS queries FortiGuard servers about each token's validity. Each token can only be used on a single FortiGate or FortiAuthenticator. If tokens are already registered, they are deemed invalid for re-activation on another device. FortiOS encrypts the serial number and information before sending for added security.

To activate a FortiToken using the GUI:
  1. Go to User & Authentication > FortiTokens.
  2. Select the desired FortiTokens that have an Available status.
  3. Click Activate from the menu above.
  4. Click Refresh. The selected FortiTokens are activated.
To activate a FortiToken using the CLI:

config user fortitoken

edit <token_serial_num>

set status activate

next

end

Associating FortiTokens with user accounts

You can associate FortiTokens with local user or administrator accounts.

To associate a FortiToken to a local user account using the GUI:
  1. Ensure that you have successfully added your FortiToken serial number to FortiOS and that its status is Available.
  2. Go to User & Authentication > User Definition. Edit the desired user account.
  3. Enable Two-factor Authentication.
  4. From the Token dropdown list, select the desired FortiToken serial number.
  5. In the Email Address field, enter the user's email address.
  6. Click OK.
To associate a FortiToken to a local user account using the CLI:

config user local

edit <username>

set type password

set passwd "myPassword"

set two-factor fortitoken

set fortitoken <serial_number>

set email-to "username@example.com"

set status enable

next

end

Note

Before you can use a new FortiToken, you may need to synchronize it due to clock drift.

To associate a FortiToken to an administrator account, refer to the Associating a FortiToken to an administrator account section.

Registering hard tokens

Registering FortiTokens consists of the following steps:

  1. Adding FortiTokens to FortiOS.
  2. Activating FortiTokens.
  3. Associating FortiTokens with user accounts.

Adding FortiTokens to FortiOS

You can add FortiTokens to FortiOS in the following ways:

To manually add single hard token to FortiOS using the GUI:
  1. Go to User & Authentication > FortiTokens.
  2. Click Create New.
  3. For Type, select Hard Token.
  4. In the Serial Number field, enter one or more FortiToken serial numbers.
  5. Click OK.

To add multiple FortiTokens to FortiOS using the CLI:

config user fortitoken

edit <serial_number>

next

edit <serial_number2>

next

end

To import multiple FortiTokens to FortiOS using the GUI:
  1. Go to User & Authentication > FortiTokens.
  2. Click Create New.
  3. For Type, select Hard Token.
  4. Click Import. The Import Tokens section slides in on the screen.

  5. Select Serial Number File.
    Note

    Seed files are only used with FortiToken-200CD. These are special hardware tokens that come with FortiToken seeds on a CD. See the FortiToken Comprehensive Guide for details.

  6. Click Upload.
  7. Browse to the file's location on your local machine, select the file, then click OK.
  8. Click OK.

Activating FortiTokens

You must activate the FortiTokens before starting to use them. FortiOS requires connection to FortiGuard servers for FortiToken activation. During activation, FortiOS queries FortiGuard servers about each token's validity. Each token can only be used on a single FortiGate or FortiAuthenticator. If tokens are already registered, they are deemed invalid for re-activation on another device. FortiOS encrypts the serial number and information before sending for added security.

To activate a FortiToken using the GUI:
  1. Go to User & Authentication > FortiTokens.
  2. Select the desired FortiTokens that have an Available status.
  3. Click Activate from the menu above.
  4. Click Refresh. The selected FortiTokens are activated.
To activate a FortiToken using the CLI:

config user fortitoken

edit <token_serial_num>

set status activate

next

end

Associating FortiTokens with user accounts

You can associate FortiTokens with local user or administrator accounts.

To associate a FortiToken to a local user account using the GUI:
  1. Ensure that you have successfully added your FortiToken serial number to FortiOS and that its status is Available.
  2. Go to User & Authentication > User Definition. Edit the desired user account.
  3. Enable Two-factor Authentication.
  4. From the Token dropdown list, select the desired FortiToken serial number.
  5. In the Email Address field, enter the user's email address.
  6. Click OK.
To associate a FortiToken to a local user account using the CLI:

config user local

edit <username>

set type password

set passwd "myPassword"

set two-factor fortitoken

set fortitoken <serial_number>

set email-to "username@example.com"

set status enable

next

end

Note

Before you can use a new FortiToken, you may need to synchronize it due to clock drift.

To associate a FortiToken to an administrator account, refer to the Associating a FortiToken to an administrator account section.