How to move the free FortiToken mobile licenses to a new VDOM or firewall
Recently ran into this today and wanted to post a solution. I have a lab firewall I wanted to test FTKM with, but the firewall uses VDOMs, and the tokens are associated to the root VDOM by default.
These are the steps I took to move a token from the root VDOM to the proper tenant VDOM, on a FortiGate 200D running 5.4.4. Most of the work can only be done via CLI I found.
Ps. I think Setup step 7 is not actually required assuming everything is working up to that point, as I ended up getting two activation emails. Preparation
1) Get the serial numbers for both tokens from the root VDOM or other firewall
2) Ensure the tokens are not in-use / associated to any users or groups
3) Ensure SMTP server or SMS gateway is configured
4) Create user account(s) with email or SMS contact info (in this example, just a local user) Setup
1) WebUI - Login to the root VDOM and go to User & Device > FortiTokens
2) WebUI - Select the token(s) you want to move and click the Delete button
3) CLI - Enter the VDOM you want the token(s) to be available in
4) CLI - Add the new tokens via their serial number, and enable them
config user fortitoken
edit [ serial number ]
set status enable
5.A) CLI - You should now see the tokens in a provisioning state via the command "diagnose fortitoken info"
myfirewall (myvdom) # diagnose fortitoken info
FORTITOKEN DRIFT STATUS
FTKMOBxxxxxxxxxx 0 provisioning
Total activated token: 0
Total global activated token: 0
Token server status: reachable
myfirewall (myvdom) #
5.B) WebUI - You should now see the tokens in a pending state under User & Device > FortiTokens in the Status column
6) CLI - Enable two-factor and associate token with a user account (local account in this example)
config user local
set two-factor fortitoken
set fortitoken [ serial number ]
7) CLI - Provision the token using the command "exec fortitoken-mobile provision". This should generate an email/SMS to the user to activate their token.
exec fortitoken-mobile provision [ serial number ]
8) User - Install/activate token into their smart phone using normal process
9.A) CLI - The state of the token should now be "provisioned" via the command 'diagnose fortitoken info'
9.B) WebUI - The state of the token should now be "Assigned" via the Status column
post edited by ergotherego - 2017/05/24 15:52:28