NSE6 Part 4: FortiToken 2FA, Certificate Management, and the Self-Service Portal
With local authentication and LDAP integration working, the two remaining FortiAuthenticator exam tracks are two-factor authentication and certificate services. Both are FCA-FAC exam favourites — expect configuration-level questions about token provisioning, the portal workflow, SCEP enrollment, and what happens when a token or certificate is in the wrong state.
Two-Factor Authentication — Concepts
Two-factor authentication (2FA) combines something you know (password) with something you have (a token that generates a one-time code). FortiAuthenticator supports three token types:
| Token type | How it works | Exam notes |
|---|---|---|
| FortiToken 200 | Hardware TOTP token (key fob) generates a 6-digit code every 60 seconds. No connectivity required. | Seed file (seeds.dat) must be imported to FAC before tokens can be used |
| FortiToken Mobile | Smartphone app (iOS/Android) generates TOTP codes. QR code provisioning. | Consumed from a software token licence pool |
| FortiToken Cloud | Cloud-hosted push notification. User approves a push rather than typing a code. | Requires FAC outbound HTTPS to ftc.fortinet.com; no on-prem seed management |
FortiToken Hardware Tokens (FortiToken 200)
Importing seed files
FortiToken 200 devices ship with a physical seeds file (FTK200.dat). This file must be imported into FAC before the tokens will work.
Authentication > FortiTokens > Seed File Import
The seeds file is encrypted and tied to your FortiCare contract. If you import the wrong seeds file (from a different purchase), the tokens will generate codes but FAC will reject them.
After import, each token appears in the token pool with:
- Serial number (printed on the token)
- Status: Available → Assigned → Active
Assigning a token to a user
Authentication > User Management > Local Users > [user] > Two-Factor Authentication
- Enable two-factor auth
- Select token type:
FortiToken - Assign a token from the pool by serial number
Activation: The token activates the first time the user successfully enters both their password and a valid token code. Until activated, the token is in Assigned state.
Token clock drift
TOTP codes are time-sensitive. If the FortiToken 200 hardware clock drifts significantly from FAC’s clock, valid-looking codes will be rejected.
Authentication > FortiTokens > Token Management
Use the Resync function: the user provides two consecutive codes; FAC calculates the drift and compensates. After resync, the token clock offset is stored and subsequent codes are validated against the adjusted window.
Exam point: If a user reports their token suddenly stopped working (worked yesterday, fails today), clock drift or NTP misconfiguration on FAC is the likely cause.
FortiToken Mobile
FortiToken Mobile uses a QR code or activation code to provision the TOTP seed from FAC to the user’s smartphone.
Provisioning workflow
- Admin assigns a FortiToken Mobile licence to a user.
- FAC generates an activation QR code (visible in the user record or sent by email/SMS).
- User scans the QR code with the FortiToken Mobile app.
- App imports the seed and starts generating codes.
- User enters the first code to activate (FAC validates and marks token
Active).
Authentication > User Management > Local Users > [user] > Two-Factor Authentication
Enable: Yes
Token type: FortiToken Mobile
Email/SMS delivery
FAC sends the activation code via:
- Email — requires SMTP gateway config (
System > Messaging > SMTP Servers) - SMS — requires an SMS gateway (
System > Messaging > SMS Gateways)
If activation emails aren’t arriving, check the SMTP config and confirm the user’s email address is populated on their record.
FortiToken Cloud (Push)
FortiToken Cloud offloads the token seed management to Fortinet’s cloud service. Instead of entering a code, the user receives a push notification on their phone and taps Approve.
Setup requires:
- A FortiToken Cloud licence attached to the FortiCare account.
- FAC internet access to
ftc.fortinet.comon HTTPS/443. Authentication > FortiToken Cloud— register FAC with the cloud service.
Fallback: If the user’s phone has no internet (no push reachable), FAC can fall back to TOTP code entry. Configure the fallback in the FortiToken Cloud settings.
Certificate Management
FortiAuthenticator can act as a Certificate Authority, issuing certificates for:
- End users (PKI-based authentication)
- Devices (FortiGate IPsec VPN, FortiAP mesh backhaul, FortiSwitch 802.1X with EAP-TLS)
- Admins (certificate-based admin login)
Certificate Authority setup
Certificate Management > Certificate Authorities > Local CAs > Create New
FAC generates a self-signed root CA or an intermediate CA signed by an external root:
| Option | Use case |
|---|---|
| Self-signed root CA | Full PKI under FAC control; all clients must trust this root |
| Intermediate CA | FAC issues certs from an intermediate; root CA is external (e.g., Microsoft CA, DigiCert) |
Export the CA certificate (DER or PEM) and import it as a trusted CA on every device that needs to validate certs issued by FAC.
Certificate templates
Templates define the properties of issued certificates:
Certificate Management > Certificate Templates
| Template field | Notes |
|---|---|
| Key size | 2048 or 4096 bits |
| Validity period | Days from issuance |
| Subject alt name | Email, IP, DNS — used for user certs |
| Extended Key Usage | Client auth, server auth, email signing |
| Certificate type | User, device, CA |
SCEP enrollment
SCEP (Simple Certificate Enrollment Protocol) allows FortiGate and FortiSwitch to automatically request and renew certificates from FAC without admin involvement.
On FAC: Certificate Management > SCEP > Create New
| Field | Value |
|---|---|
| CA | Select the Local CA to issue from |
| Template | Select the relevant template |
| Password mode | None (open enrollment) or one-time challenge password |
| URL | http://fac-ip/scep/<scep-name> |
On FortiGate, configure the SCEP server and request a certificate:
config vpn certificate local
edit "FGT-CERT"
set scep-url "http://10.0.0.10/scep/FortiGateSCEP"
set scep-password ""
next
end
execute vpn certificate local generate rsa 2048 "FGT-CERT"
Auto-renewal: FortiGate checks certificate expiry and re-enrolls via SCEP before it expires, provided the SCEP URL is still reachable.
PKI users (certificate-based authentication)
A PKI user is a FAC user record whose authentication method is a client certificate rather than a password. When the user presents a certificate issued by FAC’s CA (or a trusted external CA), FAC validates it and returns an Access-Accept.
Authentication > User Management > PKI Users > Create New
Subject: CN=micheal.garner, O=Corp
CA: Select issuing CA
PKI users are commonly used for EAP-TLS 802.1X (the certificate is the credential).
Self-Service Portal
The self-service portal lets end users manage their own accounts without calling the helpdesk. It is accessed at https://fac-ip/selfservice/ by default.
Password reset
Flow:
- User visits portal, clicks “Forgot my password”
- FAC sends a verification token to the user’s registered email or mobile
- User enters the token and sets a new password
Requirements:
- User record must have email and/or mobile populated
- FAC must have an SMTP/SMS gateway configured
- Password self-service must be enabled on the user’s account policy
Token self-activation
If an admin has assigned a FortiToken Mobile but not sent the activation code, the user can trigger resend from the portal.
Account unlock
If a user is locked out (exceeded failed-attempt threshold) and admin unlock is required (lockout duration = 0), the portal can be configured to allow self-unlock via email verification. This reduces helpdesk calls significantly.
FortiToken registration
Users can initiate FortiToken Mobile registration from the portal: scan the QR code that FAC generates on-screen.
Guest Portal
The guest portal is a separate workflow for creating time-limited accounts for visitors, contractors, or conference attendees.
Authentication > Guest Portal
Guest account creation methods
| Method | Flow |
|---|---|
| Admin-created | Admin generates accounts in bulk or individually, hands out credentials |
| Self-registration | Guest visits portal, enters name/email, receives credentials by email |
| Sponsor approval | Guest submits request; sponsor (internal user) receives email and approves/denies |
Sponsor portal
The sponsor portal is the approval page an internal user accesses to approve or reject guest account requests. The sponsor does not need an admin account on FAC — they authenticate using their AD credentials via LDAP.
Authentication > Guest Portal > Sponsors
Sponsors can be:
- Any authenticated user (broad — anyone with valid AD credentials)
- Members of a specific AD group (recommended for audit trail)
Guest account attributes
| Attribute | Notes |
|---|---|
| Validity | Hours or days from activation |
| Max concurrent sessions | Prevents one account being shared |
| VLAN | Carries the RADIUS VLAN attribute in the guest Access-Accept |
| Bandwidth quota | Optional per-account limit |
Bulk guest creation
For conferences: Authentication > Guest Management > Bulk Create
CSV format: firstname,lastname,email,phone
FAC generates accounts and optionally sends credentials to each guest’s email.
Captive Portal Integration with FortiGate
When FortiGate redirects unauthenticated clients to FAC for portal-based authentication:
- FortiGate firewall policy has
auth-type = captiveand points to FAC as the external portal - Unauthenticated HTTP hits the policy, FortiGate redirects to
https://fac-ip/captive/ - FAC presents login page, user authenticates (password + token if configured)
- FAC posts a success redirect back to FortiGate with an authentication cookie
- FortiGate grants access for the session duration
FortiAuthenticator must be able to reach FortiGate’s FSSO listener to register the session:
config user fsso
edit "FAC-FSSO"
set server "10.0.0.10"
set port 8000
set password <fsso-secret>
next
end
Exam Scenarios
Q: A user says their FortiToken Mobile shows a code but it’s rejected. FAC logs show the token is Active. What is the most likely cause? A: NTP misconfiguration — FAC’s clock and the phone’s clock are out of sync. Check FAC NTP settings and use the token resync function.
Q: A new FortiToken 200 hardware token is in the pool but authentication fails even with the correct code.
A: The token is in Assigned state, not Active. The first successful login activates it. Alternatively, the seeds file import used the wrong file.
Q: FortiGate requests a certificate via SCEP but gets “enrollment denied”.
A: Check the SCEP profile on FAC — if password mode is set to challenge, FortiGate needs to send the correct one-time password in the CSR.
Q: A guest account was self-registered but the user reports they never received the email confirmation. A: Check the SMTP gateway config on FAC, verify the user’s email is correct, and check spam filters. Also confirm the self-registration portal policy has email verification enabled.