Configuring FortiTokens
Configuring FortiTokens consists of the following steps:
Adding FortiTokens to FortiOS
You can add FortiTokens to FortiOS in the following ways:
- Add FortiToken serial numbers/activation codes using the GUI
- Add FortiToken serial numbers/activation codes using the CLI
- Import FortiTokens using a serial number or seed file using the GUI
- Import FortiTokens from an external source using the CLI
FortiToken Mobile and physical FortiTokens store their encryption seeds on the cloud. You can only register them to a single FortiGate or FortiAuthenticator. Because FortiToken-200CD seed files are stored on the CD, you can register these tokens on multiple FortiGates and/or FortiAuthenticators, but not simultaneously. |
To manually add single FortiTokens to FortiOS:
- Go to User & Authentication > FortiTokens.
- Click Create New.
- For Type, select Hard Token or Mobile Token.
- In the Serial Number field, enter one or more FortiToken serial numbers (for hard tokens) or activation codes (for mobile tokens). FortiToken Mobile activation codes are included in the license certificate after you purchase a license. FortiOS includes a license for two mobile tokens.
- Click OK.
To add multiple FortiTokens to FortiOS using the CLI:
config user fortitoken
edit <serial_number>
next
edit <serial_number2>
next
end
To import multiple FortiTokens to FortiOS using the GUI:
- Go to User & Authentication > FortiTokens.
- Click Create New.
- For Type, select Hard Token.
- Click Import.
- Select Serial Number File or Seed File.
- Click Upload.
- Browse to the file's location on your local machine, select the file, then click OK.
- Click OK.
To import multiple FortiTokens to FortiOS from an external source using the CLI:
You can import physical and mobile FortiToken seed files from a FTP or TFTP server or USB drive.
execute fortitoken import ftp <file name> <ip>[:ftp port] <Enter> <user> <password>
execute fortitoken import tftp <file name> <ip>
execute fortitoken import usb <file name>
To import FortiToken Mobile seed files, replace |
Activating FortiTokens
You must activate the FortiTokens. During activation, FortiOS queries FortiGuard servers about each FortiToken's validity. FortiOS encrypts the serial number and information before sending for added security. FortiOS requires connection to FortiGuard servers for FortiToken activation.
To activate a FortiToken using the GUI:
- Go to User & Authentication > FortiTokens.
- Select the desired FortiTokens that have an Available status.
- Right-click the FortiToken entry, then select Activate.
- Click Refresh. The selected FortiTokens' statuses change to Activated.
To activate a FortiToken using the CLI:
config user fortitoken
edit <token_serial_num>
set status activate
next
end
Associating FortiTokens with user accounts
You can associate FortiTokens with local user or administrator accounts.
To associate a FortiToken to a local user account using the GUI:
- Ensure that you have successfully added your FortiToken serial number to FortiOS and that its status is Available.
- Go to User & Authentication > User Definition. Edit the desired user account.
- In the Email Address field, enter the user's email address.
- Enable Two-factor Authentication.
- From the Token dropdown list, select the desired FortiToken serial number.
- Click OK.
For a mobile token, click Send Activation Code to send the activation code to the configured email address. The user uses this code to activate their mobile token. You must have configured an email service in System > Settings to send the activation code. |
To associate a FortiToken to a local user account using the CLI:
config user local
edit <username>
set type password
set passwd "myPassword"
set two-factor fortitoken
set fortitoken <serial_number>
set email-to "username@example.com"
set status enable
next
end
To associate a FortiToken to an administrator account using the GUI:
- Ensure that you have successfully added your FortiToken serial number to FortiOS and that its status is Available.
- Go to System > Administrators. Edit the admin account. This example assumes that the account is fully configured except for two-factor authentication.
- In the Email Address field, enter the administrator's email address.
- Enable Two-factor Authentication.
- From the Token dropdown list, select the desired FortiToken serial number.
- Click OK.
For a mobile token, click Send Activation Code to send the activation code to the configured email address. The admin uses this code to activate their mobile token. You must have configured an email service in System > Settings to send the activation code. |
To associate a FortiToken to an administrator account using the CLI:
config system admin
edit <username>
set password "myPassword"
set two-factor fortitoken
set fortitoken <serial_number>
set email-to "username@example.com"
next
end
The fortitoken
keyword is not visible until you select fortitoken
for the two-factor
option.
Before you can use a new FortiToken, you may need to synchronize it due to clock drift. |