NSE6 Part 4: FortiToken 2FA, Certificate Management, and the Self-Service Portal

With local authentication and LDAP integration working, the two remaining FortiAuthenticator exam tracks are two-factor authentication and certificate services. Both are FCA-FAC exam favourites — expect configuration-level questions about token provisioning, the portal workflow, SCEP enrollment, and what happens when a token or certificate is in the wrong state.


Two-Factor Authentication — Concepts

Two-factor authentication (2FA) combines something you know (password) with something you have (a token that generates a one-time code). FortiAuthenticator supports three token types:

Token typeHow it worksExam notes
FortiToken 200Hardware TOTP token (key fob) generates a 6-digit code every 60 seconds. No connectivity required.Seed file (seeds.dat) must be imported to FAC before tokens can be used
FortiToken MobileSmartphone app (iOS/Android) generates TOTP codes. QR code provisioning.Consumed from a software token licence pool
FortiToken CloudCloud-hosted push notification. User approves a push rather than typing a code.Requires FAC outbound HTTPS to ftc.fortinet.com; no on-prem seed management

FortiToken Hardware Tokens (FortiToken 200)

Importing seed files

FortiToken 200 devices ship with a physical seeds file (FTK200.dat). This file must be imported into FAC before the tokens will work.

Authentication > FortiTokens > Seed File Import

The seeds file is encrypted and tied to your FortiCare contract. If you import the wrong seeds file (from a different purchase), the tokens will generate codes but FAC will reject them.

After import, each token appears in the token pool with:

  • Serial number (printed on the token)
  • Status: Available → Assigned → Active

Assigning a token to a user

Authentication > User Management > Local Users > [user] > Two-Factor Authentication

  • Enable two-factor auth
  • Select token type: FortiToken
  • Assign a token from the pool by serial number

Activation: The token activates the first time the user successfully enters both their password and a valid token code. Until activated, the token is in Assigned state.

Token clock drift

TOTP codes are time-sensitive. If the FortiToken 200 hardware clock drifts significantly from FAC’s clock, valid-looking codes will be rejected.

Authentication > FortiTokens > Token Management

Use the Resync function: the user provides two consecutive codes; FAC calculates the drift and compensates. After resync, the token clock offset is stored and subsequent codes are validated against the adjusted window.

Exam point: If a user reports their token suddenly stopped working (worked yesterday, fails today), clock drift or NTP misconfiguration on FAC is the likely cause.


FortiToken Mobile

FortiToken Mobile uses a QR code or activation code to provision the TOTP seed from FAC to the user’s smartphone.

Provisioning workflow

  1. Admin assigns a FortiToken Mobile licence to a user.
  2. FAC generates an activation QR code (visible in the user record or sent by email/SMS).
  3. User scans the QR code with the FortiToken Mobile app.
  4. App imports the seed and starts generating codes.
  5. User enters the first code to activate (FAC validates and marks token Active).
Authentication > User Management > Local Users > [user] > Two-Factor Authentication
  Enable: Yes
  Token type: FortiToken Mobile

Email/SMS delivery

FAC sends the activation code via:

  • Email — requires SMTP gateway config (System > Messaging > SMTP Servers)
  • SMS — requires an SMS gateway (System > Messaging > SMS Gateways)

If activation emails aren’t arriving, check the SMTP config and confirm the user’s email address is populated on their record.


FortiToken Cloud (Push)

FortiToken Cloud offloads the token seed management to Fortinet’s cloud service. Instead of entering a code, the user receives a push notification on their phone and taps Approve.

Setup requires:

  1. A FortiToken Cloud licence attached to the FortiCare account.
  2. FAC internet access to ftc.fortinet.com on HTTPS/443.
  3. Authentication > FortiToken Cloud — register FAC with the cloud service.

Fallback: If the user’s phone has no internet (no push reachable), FAC can fall back to TOTP code entry. Configure the fallback in the FortiToken Cloud settings.


Certificate Management

FortiAuthenticator can act as a Certificate Authority, issuing certificates for:

  • End users (PKI-based authentication)
  • Devices (FortiGate IPsec VPN, FortiAP mesh backhaul, FortiSwitch 802.1X with EAP-TLS)
  • Admins (certificate-based admin login)

Certificate Authority setup

Certificate Management > Certificate Authorities > Local CAs > Create New

FAC generates a self-signed root CA or an intermediate CA signed by an external root:

OptionUse case
Self-signed root CAFull PKI under FAC control; all clients must trust this root
Intermediate CAFAC issues certs from an intermediate; root CA is external (e.g., Microsoft CA, DigiCert)

Export the CA certificate (DER or PEM) and import it as a trusted CA on every device that needs to validate certs issued by FAC.

Certificate templates

Templates define the properties of issued certificates:

Certificate Management > Certificate Templates

Template fieldNotes
Key size2048 or 4096 bits
Validity periodDays from issuance
Subject alt nameEmail, IP, DNS — used for user certs
Extended Key UsageClient auth, server auth, email signing
Certificate typeUser, device, CA

SCEP enrollment

SCEP (Simple Certificate Enrollment Protocol) allows FortiGate and FortiSwitch to automatically request and renew certificates from FAC without admin involvement.

On FAC: Certificate Management > SCEP > Create New

FieldValue
CASelect the Local CA to issue from
TemplateSelect the relevant template
Password modeNone (open enrollment) or one-time challenge password
URLhttp://fac-ip/scep/<scep-name>

On FortiGate, configure the SCEP server and request a certificate:

config vpn certificate local
  edit "FGT-CERT"
    set scep-url "http://10.0.0.10/scep/FortiGateSCEP"
    set scep-password ""
  next
end
execute vpn certificate local generate rsa 2048 "FGT-CERT"

Auto-renewal: FortiGate checks certificate expiry and re-enrolls via SCEP before it expires, provided the SCEP URL is still reachable.

PKI users (certificate-based authentication)

A PKI user is a FAC user record whose authentication method is a client certificate rather than a password. When the user presents a certificate issued by FAC’s CA (or a trusted external CA), FAC validates it and returns an Access-Accept.

Authentication > User Management > PKI Users > Create New
  Subject: CN=micheal.garner, O=Corp
  CA: Select issuing CA

PKI users are commonly used for EAP-TLS 802.1X (the certificate is the credential).


Self-Service Portal

The self-service portal lets end users manage their own accounts without calling the helpdesk. It is accessed at https://fac-ip/selfservice/ by default.

Password reset

Flow:

  1. User visits portal, clicks “Forgot my password”
  2. FAC sends a verification token to the user’s registered email or mobile
  3. User enters the token and sets a new password

Requirements:

  • User record must have email and/or mobile populated
  • FAC must have an SMTP/SMS gateway configured
  • Password self-service must be enabled on the user’s account policy

Token self-activation

If an admin has assigned a FortiToken Mobile but not sent the activation code, the user can trigger resend from the portal.

Account unlock

If a user is locked out (exceeded failed-attempt threshold) and admin unlock is required (lockout duration = 0), the portal can be configured to allow self-unlock via email verification. This reduces helpdesk calls significantly.

FortiToken registration

Users can initiate FortiToken Mobile registration from the portal: scan the QR code that FAC generates on-screen.


Guest Portal

The guest portal is a separate workflow for creating time-limited accounts for visitors, contractors, or conference attendees.

Authentication > Guest Portal

Guest account creation methods

MethodFlow
Admin-createdAdmin generates accounts in bulk or individually, hands out credentials
Self-registrationGuest visits portal, enters name/email, receives credentials by email
Sponsor approvalGuest submits request; sponsor (internal user) receives email and approves/denies

The sponsor portal is the approval page an internal user accesses to approve or reject guest account requests. The sponsor does not need an admin account on FAC — they authenticate using their AD credentials via LDAP.

Authentication > Guest Portal > Sponsors

Sponsors can be:

  • Any authenticated user (broad — anyone with valid AD credentials)
  • Members of a specific AD group (recommended for audit trail)

Guest account attributes

AttributeNotes
ValidityHours or days from activation
Max concurrent sessionsPrevents one account being shared
VLANCarries the RADIUS VLAN attribute in the guest Access-Accept
Bandwidth quotaOptional per-account limit

Bulk guest creation

For conferences: Authentication > Guest Management > Bulk Create CSV format: firstname,lastname,email,phone

FAC generates accounts and optionally sends credentials to each guest’s email.


Captive Portal Integration with FortiGate

When FortiGate redirects unauthenticated clients to FAC for portal-based authentication:

  1. FortiGate firewall policy has auth-type = captive and points to FAC as the external portal
  2. Unauthenticated HTTP hits the policy, FortiGate redirects to https://fac-ip/captive/
  3. FAC presents login page, user authenticates (password + token if configured)
  4. FAC posts a success redirect back to FortiGate with an authentication cookie
  5. FortiGate grants access for the session duration

FortiAuthenticator must be able to reach FortiGate’s FSSO listener to register the session:

config user fsso
  edit "FAC-FSSO"
    set server "10.0.0.10"
    set port 8000
    set password <fsso-secret>
  next
end

Exam Scenarios

Q: A user says their FortiToken Mobile shows a code but it’s rejected. FAC logs show the token is Active. What is the most likely cause? A: NTP misconfiguration — FAC’s clock and the phone’s clock are out of sync. Check FAC NTP settings and use the token resync function.

Q: A new FortiToken 200 hardware token is in the pool but authentication fails even with the correct code. A: The token is in Assigned state, not Active. The first successful login activates it. Alternatively, the seeds file import used the wrong file.

Q: FortiGate requests a certificate via SCEP but gets “enrollment denied”. A: Check the SCEP profile on FAC — if password mode is set to challenge, FortiGate needs to send the correct one-time password in the CSR.

Q: A guest account was self-registered but the user reports they never received the email confirmation. A: Check the SMTP gateway config on FAC, verify the user’s email is correct, and check spam filters. Also confirm the self-registration portal policy has email verification enabled.