2FA with FortiToken example

To configure a user with FortiToken as the authentication type:

1. Go to User Management > User Definition, and select Create.

   The New User Definition wizard is launched.

2. In Choose a User Role type, select Administrator, and from the Choose an Administrator Role dropdown, select Super Administrator.

   

3. Click Next.
4. In Choose a User type, select either Local User or Remote User.

   In this example, Local User is selected.

   

   For Remote User, select a remote group where the user is found. See User groups.

5. Click Next.
6. In Configure User Detail:
   1. In Username, enter a name.
   2. In Password, enter a password.
   3. In Confirm Password, reenter password to confirm.
   4. In Status, enable logging in to FortiPAM.
   5. In Email address, enter an email address.

   

7. Click Next.
8. Enable Two Factor Authentication, and:
   1. In Authentication Type, select FortiToken.
   2. From the Token dropdown, select a FortiToken.
   3. In Email address, enter the user email address.

      

   4. Click Next.
9. Click Next.
10. In the Review tab, verify the information you entered and click Submit to create the user.
11. Go to User Management > FortiTokens, select the token used in step 8 from the list and then click Provision.

    An email notification is sent to the user. This is the email address configured in step 8.

12. To enable FortiToken push notification:
    1. Go to Network > Interfaces and double-click port1.
    2. In Administrative Access, select FTM.
    3. In the CLI console, enter the following commands:

       config system ftm-push

       set server-cert "Fortinet_Factory"

       set server x.x.x.x #IP address of the FortiPAM interface

       set status enable

       end

13. From the user dropdown on the top-right, select Logout.
14. On the login screen, enter the username and password for the user you just created, and select Continue.
15. On the token screen, enter the token from your FortiToken Mobile and select Continue to log in to FortiPAM, or approve the push login request that appears on your mobile phone to log in to FortiPAM. See Setting up FortiToken Mobile.

CLI configuration to set up a user with FortiToken as the authentication type example:

config system admin

edit "token"

set accprofile "super_admin" #administrator role

set two-factor fortitoken

set fortitoken "FTKMOB29B10062D4"

set email-to "username@example.com"

set password "myPassword"

next

end

Setting up FortiToken Mobile

To set up FortiToken Mobile:

1. In the App Store, look for FortiToken Mobile and install the application.

   

2. After your system administrator assigns a token to you, you will receive a notification with an activation code and an activation expiration date by which you must activate your token. For more information on Token Activation, see FortiToken Mobile User Guide.

   

3. Open the FortiToken Mobile application and click + icon on the top-right to add a token.

   

4. There are two ways to add a token to the FortiToken Mobile application:
   1. Scan QR code: If your device supports QR code recognition, select + in the FortiToken Mobile home screen and point your device camera at the QR code attached to the activation email.

      

   2. Enter Manually:
      1. Select + and then select Enter Manually from the bottom.
      2. Select Fortinet and enter Name and Key.

         Key is the activation key from your activation email notification and must be entered exactly as it appears in the activation message, either by typing or copying and pasting.

      3. Click Done.

         FortiToken Mobile communicates with the secure provisioning server to activate your token. The token is now displayed in the token list view.

         

5. Click the eye icon to retrieve the token to be used in step 15 when configuring 2FA with FortiToken.

   

   Alternatively, if approving the push login request in step 15 when configuring 2FA with FortiToken, click Approve in Login Request.