To activate a FortiToken on the FortiGate unit – CLI:

config user fortitoken

edit <token_serial_num>

set status activate next

end

 

Associating FortiTokens with accounts

The final step before using the FortiTokens to authenticate logons is associating a FortiToken with an account. The accounts can be local user or administrator accounts.

 

To add a FortiToken to a local user account – web-based manager:

1. Ensure that your FortiToken serial number has been added to the FortiGate successfully, and its status is

Available.

2. Go to User & Device > User > User Definition, and edit the user account.

3. Select Email Address and enter user’s email address.

4. Select Enable Two-factor Authentication.

5. Select the user’s FortiToken serial number from the Token list.

6. Select OK.

 

For mobile token, click on Send Activation Codeto be sent to the email address con- figured previously. The user will use this code to activate his mobile token. An Email Service has to be set under System > Config > Advancedin order to send the activ- ation code.

 

To add a FortiToken to a local user account – CLI:

config user local edit <username>

set type password

set passwd “myPassword” set two-factor fortitoken

set fortitoken <serial_number>

set email-to “username@example.com” set status enable

next end

 

To add a FortiToken to an administrator account – web-based manager:

1. Ensure that your FortiToken serial number has been added to the FortiGate successfully, and its status is

Available.

2. Go to System > Admin > Administrators, and edit the admin account.

This account is assumed to be configured except for two-factor authentication.

3. Select Email Address and enter admin’s email address.

4. Select Enable Two-factor Authentication.

5. Select the user’s FortiToken serial number from the Token list.

6. Select OK.

 

For mobile token, click on Send Activation Codeto be sent to the email address con- figured previously. The admin will use this code to activate his mobile token. An Email Service has to be set under System > Config > Advancedin order to send the activ- ation code.

 

To add a FortiToken to an administrator account – CLI:

config system admin edit <username>

set password “myPassword” set two-factor fortitoken

set fortitoken <serial_number>

set email-to “username@example.com” next

end

The fortitoken keyword will not be visible until fortitoken is selected for the two-factor option.

 

Before a new FortiToken can be used, it may need to be synchronized due to clock drift.

 

 

FortiToken maintenance

Once FortiTokens are entered into the FortiGate unit, there are only two tasks to maintain them — changing the status,

 

To change the status of a FortiToken between Activated and Locked – CLI:

config user fortitoken

edit <token_serial_num>

set status lock next

end

 

Any user attempting to login using this FortiToken will not be able to authenticate.

 

To list the drift on all FortiTokens configured on this FortiGate unit – CLI:

# diag fortitoken info

FORTITOKEN DRIFT STATUS

FTK2000BHV1KRZCC 0 token already activated, and seed won’t be returned FTK2001C5YCRRVEE 0 token already activated, and seed won’t be returned FTKMOB4B94972FBA 0 provisioned

FTKMOB4BA4BE9B84 0 new

Total activated token: 0

Total global activated token: 0

Token server status: reachable

 

This command lists the serial number and drift for each FortiToken configured on this FortiGate unit. This command is useful to check if it is necessary to synchronize the FortiGate and any particular FortiTokens.