Description
This article describes how to activate the FortiToken mobile license in FortiAuthenticator.
Scope
FortiToken mobile with FortiAuthenticator
Solution
- Log in to the FortiAuthenticator WebUI (ensure it has a valid Internet connection).
- Go to Authentication -> User Management -> Fortitokens (in the left-hand menu).
- Select 'Create New', then select 'Mobile FortiToken'.
- Enter the activation code revealed in the certificate and select 'OK'.
- After receiving verification, check all Tokens are available under Authentication -> User Management -> Fortitokens.
Here is an explanation about how FortiToken Mobile provisioning works:
- FortiAuthenticator generates seed for FTM, and other parameters (activation code, SN, HOTP/TOTP, OTP length, PIN, FTM logo), then sends to fortitokenmobile.fortinet.com
- FortiAuthenticator sends an activation code to end-user via email/SMS
- The end-user enters the activation code (manual or QR scan) in FTM
- FTM connects to fortitokenmobile.fortinet.com and:
- Gives activation code, mobile OS version, app regid
- Takes FTM seed and other parameters
- FortiAuthenticator polls fortitokenmobile.fortinet.com to see if FTM was activated. If yes, it gets mobile OS version and app regid, then marks FTM in config as activated
TROUBLESHOOTING:
In some cases, the activation process fails and returns an error similar to 'problem with SSL comm layer':
V5.4:
If this occurs, follow the steps below:
- Make sure the FortiAuthenticator can resolve the fortitokenmobile.fortinet.com FQDN (the old URL was directregistration.fortinet.com)
In the FortiAuthenticator CLI, type the command below:
execute ping fortitokenmobile.fortinet.com
- Confirm there is no other device upstream to the FortiAuthenticator preventing it from reaching the licensing servers over TCP/443.
- Usually, FortiAuthenticator goes through FortiGate firewall to reach the internet. If DPI (Deep Packet Inspection) is being performed by FortiGate (or other firewall), the errors aforementioned might be displayed. This happens because FAC will ONLY connect to the server that has the valid certificate signed by the Fortinet CA, therefore, man-in-the middle is not allowed. To avoid this error, create a policy that allows only FortiAuthenticator IP to reach the internet and don't apply any security profile nor DPI.
Additionally, a packet capture can be run on the port that FortiAuthenticator uses to reach the internet under System -> Network -> Packet Capture (blue play button). It is recommended to increase the Maximum Packets value to a value such as 5000 and try an activation. The .pcap file can be downloaded and analyzed in Wireshark to give information regarding the communication with fortitokenmobile.fortinet.com
- Contact the Technical Assistance Center (TAC) and confirm the licensing servers are operational.
