2FA with FortiToken example
To configure a user with FortiToken as the authentication type:
-
Go to User Management > User List, and select Create.
The New User List wizard is launched.
- In Choose a User Role type, select Administrator, and from the Choose an Administrator Role dropdown, select Super Administrator.
- Click Next.
- In Choose a User type, select either Local User or Remote User.
In this example, Local User is selected.
For Remote User, select a remote group where the user is found. See User groups.
- Click Next.
- In Configure User Detail:
- In Username, enter a name.
- In Password, enter a password.
- In Confirm Password, reenter password to confirm.
- In Status, enable logging in to FortiPAM.
- In Email address, enter an email address.
- Click Next.
- In Two Factor Authentication:
- In Email address, enter the user email address.
- Enable Two-Factor Authentication, and select FortiToken.
- From the Token dropdown, select a FortiToken.
- Click Next.
- Click Next.
- In the Review tab, verify the information you entered and click Submit to create the user.
- Go to User Management > FortiTokens, select the token used in step 8 from the list and then click Provision.
An email notification is sent to the user. This is the email address configured in step 8.
- To enable FortiToken push notification:
- Go to Network > Interfaces and double-click port1.
- In Administrative Access, select FTM.
- In the CLI console, enter the following commands:
config system ftm-push
set server-cert "Fortinet_Factory"
set server x.x.x.x #IP address of the FortiPAM interface
set status enable
end
- From the user dropdown on the top-right, select Logout.
- On the login screen, enter the username and password for the user you just created, and select Continue.
- On the token screen, enter the token from your FortiToken Mobile and select Continue to log in to FortiPAM, or approve the push login request that appears on your mobile phone to log in to FortiPAM. See Setting up FortiToken Mobile.
CLI configuration to set up a user with FortiToken as the authentication type example:
config system admin
edit "token"
set accprofile "super_admin" #administrator role
set two-factor fortitoken
set fortitoken "FTKMOB29B10062D4"
set email-to "username@example.com"
set password "myPassword"
next
end
Setting up FortiToken Mobile
To set up FortiToken Mobile:
- In the App Store, look for FortiToken Mobile and install the application.
-
After your system administrator assigns a token to you, you will receive a notification with an activation code and an activation expiration date by which you must activate your token.
For more information on Token Activation, see FortiToken Mobile User Guide.
- Open the FortiToken Mobile application and click + icon on the top-right to add a token.
- There are two ways to add a token to the FortiToken Mobile application:
- Scan QR code: If your device supports QR code recognition, select + in the FortiToken Mobile home screen and point your device camera at the QR code attached to the activation email.
- Enter Manually:
- Select + and then select Enter Manually from the bottom.
- Select Fortinet and enter Name and Key.
Key is the activation key from your activation email notification and must be entered exactly as it appears in the activation message, either by typing or copying and pasting.
- Click Done.
FortiToken Mobile communicates with the secure provisioning server to activate your token. The token is now displayed in the token list view.
- Scan QR code: If your device supports QR code recognition, select + in the FortiToken Mobile home screen and point your device camera at the QR code attached to the activation email.
- Click the eye icon to retrieve the token to be used in step 15 when configuring 2FA with FortiToken.
Alternatively, if approving the push login request in step 15 when configuring 2FA with FortiToken, click Approve in Login Request.