Hot!How to move the free FortiToken mobile licenses to a new VDOM or firewall

Author
ergotherego
Silver Member
  • Total Posts : 99
  • Scores: 8
  • Reward points: 0
  • Status: offline
2017/05/24 15:49:36 (permalink)
5 (1)

How to move the free FortiToken mobile licenses to a new VDOM or firewall

Recently ran into this today and wanted to post a solution. I have a lab firewall I wanted to test FTKM with, but the firewall uses VDOMs, and the tokens are associated to the root VDOM by default.
 
These are the steps I took to move a token from the root VDOM to the proper tenant VDOM, on a FortiGate 200D running 5.4.4. Most of the work can only be done via CLI I found.
 
Ps. I think Setup step 7 is not actually required assuming everything is working up to that point, as I ended up getting two activation emails.
 
Preparation
1) Get the serial numbers for both tokens from the root VDOM or other firewall
2) Ensure the tokens are not in-use / associated to any users or groups
3) Ensure SMTP server or SMS gateway is configured
4) Create user account(s) with email or SMS contact info (in this example, just a local user)
 
Setup
1) WebUI - Login to the root VDOM and go to User & Device > FortiTokens
2) WebUI - Select the token(s) you want to move and click the Delete button
3) CLI - Enter the VDOM you want the token(s) to be available in
4) CLI - Add the new tokens via their serial number, and enable them
config user fortitoken
    edit [ serial number ]
    set status enable
end
5.A) CLI - You should now see the tokens in a provisioning state via the command "diagnose fortitoken info"
myfirewall (myvdom) # diagnose fortitoken info
FORTITOKEN DRIFT STATUS
FTKMOBxxxxxxxxxx 0 provisioning
 
Total activated token: 0
Total global activated token: 0
 
Token server status: reachable
myfirewall (myvdom) #
5.B) WebUI - You should now see the tokens in a pending state under User & Device > FortiTokens in the Status column
6) CLI - Enable two-factor and associate token with a user account (local account in this example)
config user local
    edit testuser
        set two-factor fortitoken
        set fortitoken [ serial number ]
    next
end
7) CLI - Provision the token using the command "exec fortitoken-mobile provision". This should generate an email/SMS to the user to activate their token.
 
exec fortitoken-mobile provision [ serial number ]
 
8) User - Install/activate token into their smart phone using normal process
9.A) CLI - The state of the token should now be "provisioned" via the command 'diagnose fortitoken info'
9.B) WebUI - The state of the token should now be "Assigned" via the Status column
post edited by ergotherego - 2017/05/24 15:52:28
#1

2 Replies Related Threads

    makco10
    New Member
    • Total Posts : 10
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/01/20 15:21:33
    • Location: Honduras
    • Status: offline
    Re: How to move the free FortiToken mobile licenses to a new VDOM or firewall 2017/10/23 11:03:34 (permalink)
    0
    Clear instructions, cool.
     
    Regards.
    #2
    emnoc
    Expert Member
    • Total Posts : 4838
    • Scores: 294
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: How to move the free FortiToken mobile licenses to a new VDOM or firewall 2017/10/23 12:07:09 (permalink)
    0
    You do know the token is not configured to a "vdom",  but  to a user. Your not "moving" a token you are assigning it to a respected user.
     
    Ken
     

    PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
    #3
    Jump to:
    © 2018 APG vNext Commercial Version 5.5