Once registered, FortiTokens need to be provisioned for users before they can be activated. In this example, you will provision a Mobile token for a local user. Similar steps can be taken to assign FortiTokens to other types of users.
To create a local user and assign a FortiToken in the FortiGate GUI:
- Go to User & Device > User Definition, and click Create New. The Users/Groups Creation Wizard appears.
- In the User Type tab, select Local User, and click Next.
- In the Login Credentials tab, enter a Username and Password for the user, and click Next.
- In the Contact Info tab:
- Enter the user's email address in the Email Address field. This is the email where the user will receive the QR code for activation of the FortiToken.
- Enable the Two-factor Authentication toggle.
- Select FortiToken for Authentication Type.
- Select a Token to assign to the user from the drop-down list.
- Click Next.
- In the Extra Info tab, make sure the User Account Status field is set to Enabled. You can also optionally assign the user to a user group by enabling the User Group toggle.
- Click Submit. An activation code should be sent to the created user by email or SMS, depending upon the delivery method configured above.
FortiGate has the Email Service setting configured using the server notifications.fortinet.net by default. To see configuration, go to System > Settings > Email Service.
The activation code expires if not activated within the 3-day time period by default. However, the expiry time period is configurable.
To configure the time period (in hours) for FortiToken Mobile, using the CLI:
config system global
set two-factor-ftm-expiry <1-168>
To resend the email or SMS with the activation code, refer to the Managing FortiTokens section.