FortiTokens
FortiToken is a disconnected one-time password (OTP) generator. It is a small physical device with a button that when pressed displays a six digit authentication code. This code is entered with a user’s username and password as two-factor authentication. The code displayed changes every 60 seconds, and, when not in use, the LCD screen is blanked to extend the battery life.
There is also a mobile phone application, FortiToken Mobile, that performs much the same function.
FortiTokens have a small hole in one end. This is intended for a lanyard to be inserted so the device can be worn around the neck, or easily stored with other electronic devices. Do not put the FortiToken on a key ring as the metal ring and other metal objects can damage it. The FortiToken is an electronic device like a cell phone and must be treated with similar care.
Any time information about the FortiToken is transmitted, it is encrypted. When the FortiProxy unit receives the code that matches the serial number for a particular FortiToken, it is delivered and stored encrypted. This is in keeping with the Fortinet’s commitment to keeping your network highly secured.
FortiTokens can be added to user accounts that are local, IPsec VPN, SSL VPN, and even Administrators. See Associate FortiTokens with accounts.
A FortiToken can be associated with only one account on one FortiProxy unit.
If a user loses the FortiToken, it can be locked out using the FortiProxy unit so it will not be used to falsely access the network. Later if found, that FortiToken can be unlocked on the FortiProxy unit to allow access once again. See FortiToken maintenance.
To view a list of available FortiTokens, go to User & Device > FortiTokens.
Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the columns to display or to reset all the columns to their default settings. You can also drag column headings to change their order.
The following options are available:
|
Create New |
Add a FortiToken to your FortiProxy unit. See Add or edit a FortiToken . |
|
Edit |
Modify a FortiToken that was added to your FortiProxy unit. See Add or edit a FortiToken . |
|
Delete |
Remove a FortiToken from the list. |
|
Activate |
Activate a FortiToken that was added to your FortiProxy unit. See Activate a FortiToken on the FortiProxy unit. |
|
Provision |
Notify the FortiToken provisioning server that the token has been assigned for subsequent activation. The provisioning server sends an activation code to the end user. |
|
Refresh |
Update the data displayed. |
|
Download Available |
Download FortiToken information. |
|
Search |
Enter a search term to find in the FortiToken list. |
|
Type |
The FortiToken type can be Hard Token or Mobile Token. |
|
Serial Number |
The FortiToken serial number. |
|
Status |
Whether the FortiToken has been assigned or activated. |
|
User |
The user associated with the FortiToken. |
|
Drift |
How many minutes the FortiToken time differs from the time on the FortiProxy unit. |
|
Comments |
An optional description of the FortiToken. |
|
License |
The license for the mobile token. |
FortiToken authentication process
There are three tasks to complete before FortiTokens can be used to authenticate accounts:
The following are the steps during FortiToken two-factor authentication:
-
The user attempts to access a network resource.
-
The FortiProxy unit matches the traffic to an authentication security policy, and the FortiProxy unit prompts the user for user name and password.
-
The user enters the user name and password.
-
The FortiProxy unit verifies the information, and, if valid, prompts the user for the FortiToken code.
-
The user gets the current code from their FortiToken device.
-
The user enters current code at the prompt.
-
The FortiProxy unit verifies the FortiToken code, and, if valid, allows access to the network resources such as the Internet.
The following steps are needed only if the time on the FortiToken has drifted and needs to be re-synchronized with the time on the FortiProxy unit.
-
If time on FortiToken has drifted, the FortiProxy unit will prompt the user to enter a second code to confirm.
-
User gets the next code from their FortiToken device.
-
User enters the second code at the prompt.
-
The FortiProxy unit uses both codes to update its clock to match the FortiToken and then proceeds as in step 7.
When configured, the FortiProxy unit accepts the user name and password, authenticates them either locally or remotely, and prompts the user for the FortiToken code. The FortiProxy unit then authenticates the FortiToken code. When FortiToken authentication is enabled, the prompt field for entering the FortiToken code is automatically added to the authentication screens.
Even when an Administrator is logging in through a serial or Telnet connection and their account is linked to a FortiToken, that Administrator will be prompted for the token’s code at each login.
|
If you have attempted to add invalid FortiToken serial numbers, there will be no error message. The serial numbers will simply not be added to the list. |
FortiToken Mobile Push
A command under config system ftm-push allows you to configure the FortiToken Mobile Push services server IP address and port number. The Push service is provided by Apple (APNS) and Google (GCM) for iPhone and Android smartphones respectively. This service prevents tokens from becoming locked after an already enabled two-factor authentication user has been disabled.
CLI syntax
config system ftm-push
set server-ip <ip-address>
set server-port [1-65535] // Default is 4433.
set status <enable | disable>
end
NOTE: The server-ip is the public IP address of the FortiProxy interface that the FTM will call back to; it is the IP address used by the FortiProxy for incoming FTM calls.
In addition, FTM Push is supported on administrator login and SSL VPN login for both iOS and Android. If an SSL VPN user authenticates with their token, then logs out and attempts to reauthenticate again within a minute, a new message displays showing “Please wait x seconds to login again.” This replaces a previous error/permission denied message.
The “x” value depends on the calculation of how much time is left in the current time step.
CLI syntax
config system interface
edit <name>
set allowaccess ftm
next
end
|
|
The FortiProxy unit supports FTM Push notifications initiated by FortiAuthenticator when users are attempting to authenticate through a VPN and/or RADIUS (with FortiAuthenticator as the RADIUS server). |
Migrate FortiToken Mobile users from FortiProxy to FortiToken Cloud
The execute fortitoken-cloud migrate-ftm <license> <vdom> command allows the migration of FortiToken Mobile users from the FortiProxy unit to FortiToken Cloud. The FortiToken Cloud account must be using a time-based subscription license. A request must be made to Fortinet Customer Service to initiate and pre-authorize the transfer. All current active FortiToken Mobile users will be migrated to the FortiToken Cloud license with no changes to the FortiToken Mobile serial number. The FortiProxy user or administrator's two-factor setting is automatically converted from fortitoken to fortitoken-cloud. After migration, end users will be able to authenticate as before without any changes to their FortiToken mobile app. See Migrate FTM tokens to FortiToken Cloud for more information.