Description
This article describes the procedure needed to re-register FortiTokens after a FortiGate unit has been replaced following an RMA.
This is also needed in HA environments when the master unit is replaced due to the process of how FortiTokens are handled in HA setups.
In the case of setting up a High Availability (HA) cluster with multiple FortiGate units, it is required to register and apply any FortiToken Mobile licenses to the primary unit.
This can be done either before configuring the unit for HA operation, or after. After HA is configured, all tokens are replicated across cluster members. Because of this, only one FortiToken Mobile license is needed per HA cluster.
Since the secondary unit uses the FortiToken licenses assigned to the serial number of the primary unit, when a replacement primary unit is joined into the cluster it will be considered as a slave, as the secondary unit at that moment has the role of master.
The secondary unit will proceed and copy the FortiToken license to the new primary unit, but those FortiTokens will still be registered to the defect primary unit’s serial number.
As the license needs to be transferred during the RMA process to the new unit, in an HA scenario this would cause FortiToken issues.
To resolve the issue, FortiTokens need to be deleted from the unit and re-registered with the new master unit.
Solution
1) Remove tokens which are assigned to users.
On the FortiGate, use the GUI to manually disable Two-factor Authentication or the following commands to create a script for all users that have assigned FortiTokens:
In the GUI :
Go to User & Authentication -> FortiTokens.
Select all Mobile Tokens and click on the 'Delete' button
3) Register the EFTM license on the FortiGate to pull all tokens from that unit.
During the RMA process the EFTM license is bind to the FortiGate serial number.
In the Register process the License needs to be manually added to the FortiGate after which FortiGuard checks in the background if the added FortiToken license is valid for the FortiGate in question.
- Locate the 20-digit code on the redemption certificate for the license: EFTMXXXXXXXX
- Go to User & Device -> FortiTokens and select 'Create New'.
- Select Mobile Token, and enter the 20-digit certificate code in the Activation Code box.
- Select OK.
4) Assign and provision tokens to each user that needs to use two-factor authentication.
This can be done in the GUI by enabling Two-factor Authentication for each local user account or it can be done in CLI with the following process to create a script:
Note: During token provision over CLI, the FortiGate initially checks if the user has a SMS number entered. If SMS is entered per user, the activation code will be sent over SMS. If users only have an e-mail address assigned, then they will receive an e-mail with the Activation code.
5) Activate FortiToken Mobile tokens
End-users would need to remove the previous tokens from FortiToken Mobile app and follow the next procedure to enter them on the FortiToken Mobile application:
https://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-authentication/FTM-User.htm
This article describes the procedure needed to re-register FortiTokens after a FortiGate unit has been replaced following an RMA.
This is also needed in HA environments when the master unit is replaced due to the process of how FortiTokens are handled in HA setups.
In the case of setting up a High Availability (HA) cluster with multiple FortiGate units, it is required to register and apply any FortiToken Mobile licenses to the primary unit.
This can be done either before configuring the unit for HA operation, or after. After HA is configured, all tokens are replicated across cluster members. Because of this, only one FortiToken Mobile license is needed per HA cluster.
Since the secondary unit uses the FortiToken licenses assigned to the serial number of the primary unit, when a replacement primary unit is joined into the cluster it will be considered as a slave, as the secondary unit at that moment has the role of master.
The secondary unit will proceed and copy the FortiToken license to the new primary unit, but those FortiTokens will still be registered to the defect primary unit’s serial number.
As the license needs to be transferred during the RMA process to the new unit, in an HA scenario this would cause FortiToken issues.
To resolve the issue, FortiTokens need to be deleted from the unit and re-registered with the new master unit.
Solution
1) Remove tokens which are assigned to users.
On the FortiGate, use the GUI to manually disable Two-factor Authentication or the following commands to create a script for all users that have assigned FortiTokens:
# config user local2) Delete all tokens
edit xxxx <----- Replace xxxx with the username of each user
unset two-factor
next
edit xxxx
unset two-factor
next
...
end
In the GUI :
Go to User & Authentication -> FortiTokens.
Select all Mobile Tokens and click on the 'Delete' button
3) Register the EFTM license on the FortiGate to pull all tokens from that unit.
During the RMA process the EFTM license is bind to the FortiGate serial number.
In the Register process the License needs to be manually added to the FortiGate after which FortiGuard checks in the background if the added FortiToken license is valid for the FortiGate in question.
- Locate the 20-digit code on the redemption certificate for the license: EFTMXXXXXXXX
- Go to User & Device -> FortiTokens and select 'Create New'.
- Select Mobile Token, and enter the 20-digit certificate code in the Activation Code box.
- Select OK.
4) Assign and provision tokens to each user that needs to use two-factor authentication.
This can be done in the GUI by enabling Two-factor Authentication for each local user account or it can be done in CLI with the following process to create a script:
#config user localTokens will be delivered automatically on the assigned e-mails.
edit xxxx <----- Replace xxxx with the username of each user
set two-factor fortitoken
set fortitoken XXXXXXXXXXXXXXX <----- Enter the FortiToken number to assign each user
next
edit xxxx
set two-factor fortitoken
set fortitoken XXXXXXXXXXXXXXX
...
end
Note: During token provision over CLI, the FortiGate initially checks if the user has a SMS number entered. If SMS is entered per user, the activation code will be sent over SMS. If users only have an e-mail address assigned, then they will receive an e-mail with the Activation code.
5) Activate FortiToken Mobile tokens
End-users would need to remove the previous tokens from FortiToken Mobile app and follow the next procedure to enter them on the FortiToken Mobile application:
https://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-authentication/FTM-User.htm
