Description | This article describes the issue with hardware tokens not working with MFA after firewall migration. |
Scope | FortiGate. |
Solution |
To move the hardware tokens from one firewall to another submit a request to the TAC team. Once the tokens are migrated it is possible to try to import the token onto the new firewall with a license file.
Once the tokens are imported on the new firewall, they should be available to assign to the user lists. After assigning the tokens to the user if they are not able to use the token for MFA or if it is giving the error for invalid token then it is necessary to check the following things.
Run the fnbamd debug on the firewall to confirm the error with tokens:
di de application fnbamd -1 di de en ---- try to login with hardware token ----
Check the debug file to confirm the error message and it might give the below error message:
024-03-18 08:14:45 [2048] handle_req-Rcvd auth_token rsp for req xxxxxx 2024-03-18 08:14:45 [2167] handle_req-Token check failed, result -30113
This will confirm that the token is assigned to the user but not activated properly. To confirm run the command 'diagnose fortitoken info' as that will show the list of tokens imported to the firewall and their status.
FORTITOKEN DRIFT STATUS
exe fortitoken activate <FTK serial number>
Re-run the command to check the status and it should change the status to active.
FORTITOKEN DRIFT STATUS
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.