FortiAuthenticator
FortiAuthenticator provides access management and single sign on.
cborgato_FTNT
Article Id 198349

Description

 

This article describes how to recover the admin password, restore admin account, disabling 2FA using the maintainer account and hidden command. Physical access to the device and a few other tools may be required for the process.


Scope

 

FortiAuthenticator v3.1+.


Solution

 

This process requires connectivity to the console port and a reboot of the unit.

The following are required:

- Console Cable.

- Terminal Software such as Putty.exe (Windows) or Terminal (macOS).

- Serial Number of the FortiAuthenticator Device.

 

Steps:

1) Connect the computer to the FortiAuthenticator via the console port (RJ-45 to Serial cable). For Virtual instances use the supplied VM Hosts’ console connection utility (such as VNC).

2) Start terminal software.

3) Connect using the following:

Setting      Value
Speed (baud) 9600
Data Bits    8Bit
Parity       None
Stop bits    1
Flow Control No Hardware Flow Control
Com Port     The correct com-port

4) The device should then respond with its name or hostname (if it does not try pressing 'enter').

5) Reboot the FortiAuthenticator.

> reboot

6) Wait for the name and login prompt to appear. The terminal window should display something similar to the following:

FAC-lab login :

7) Type in the username: maintainer.

8) The password is bcpb + the serial number of the FortiAuthenticator (letters of the serial number are in UPPERCASE format).

Example: bcpbFAC-VM0A13123456.

Note: after the device boots, there are only 14 seconds or less to type in the username and password. It might be necessary to have the credentials ready in a text editor and then copy and paste them into the login screen. There is no indicator of when the time runs out, so it is possible that it might take more than one attempt to succeed.

9) Once logged in, commands to reset Admin password depend on releases.
 

- For release 3.1 to 4.0.

 

Reset the admin password using the following hidden command.
 
FAC-Lab login : maintainer
Password      : *********
Welcome to the FortiAuthenticator!
>
admin-pwd-reset <admin name>

- For release 5.0 and higher, there are two options.

 

a) Reset the admin password using the following hidden command.

FAC-Lab login : maintainer
Password        : *********
Welcome to the FortiAuthenticator!
>
admin-pwd-reset <username> <password>

It is mandatory to set a replacement password.

b) Reset the Admin password to default and the access method of port1 ('allowaccess'). This option allows to disable 2FA for admin account in case it was enabled (there is no access to 2 factor password).


FAC-Lab login : maintainer
Password      : *********
Welcome to the FortiAuthenticator!
>
> exec restore-admin <password>

The command 'restore-admin' will enable default admin access methods on port1 and restore the default 'admin' account.

The output will detail the change made:

> exec  restore-admin <password>
Trusted management subnets of administrator "maintainer" have been cleared.
No need to restore administrator access to Port 1.
HA also enabled, restoring admin access.
No need to restore HA administrator access to port2.
Default administrator account "admin" has been restored:
        Password is set to blank, admin has a full permission, and any trusted management subnet restriction.
        Please remember to change the password.
        Trusted management subnets of administrator "admin" have been cleared.

>