DescriptionThis article describes SSL VPN PKI user based authentication with FortiAuthenticator as Local CA authority.SolutionThe FortiOS supports PKI user for SSL VPN authentication as standalone authentication or with two factor authentication.The following certificates has been used for this authentication which we have generated from FortiAuthenticator.- Intermediate CA Certificate.- Root CA certificate.- User certificate.1) Create above certificate from the FortiAuthenticator, Go to Certificate -> Management -> Certificate Authorities -> Root CA.
2) Create Intermediate CA Certificate from the FortiAuthenticator, Go to Certificate Management -> Certificate Authorities -> Intermediate CA.
Select Certificate authority as Root CA which we had configured on previous setup.
3) 3) Create user Certificate from the FortiAuthenticator, Go to Certificate Management -> End Entities -> Create New User Certificate.
- Select the intermediate CA certificate which we had configured on 2).
- Configure the certificate Subject Alternative Name which use in FortiGate to validate the Client certificate against the FortiGate PKI user.
4) Export root CA, Intermediate CA and client certificate from the FortiAuthenticator.
5) Import root CA and Intermediate CA certificate in the FortiGate to trust the client certificate.
To import Intermediate CA certificate in the FortiGate, Go to System -> Certificates -> Import -> Local CA -> PKCS # 12 Certificate and select 'Key' file and password.
To import CA certificate in the FortiGate, Go to System -> Certificates -> Import -> CA Certificate -> File.
6) Create PKI users and group for SSL VPN authentication. # config user peer
edit "user1"
set ca "CA_Cert_1" <----- { Select the root CA certificate }.
set subject "user1@gmail.com" <-----{ Subject should match the user certificate}.
next
end
Add the PKI users to PKI groups.
# config user group
edit "SSL_PKI"
set member "user1"
next
end
Then map the above group in the SSL VPN authentication rule.
7) Then import the Client and Root CA certificate in the client machine.
- Import Root CA Certificate under 'Trusted root Certificate Authority'.
- Import Client certificate under 'Personal' folder.
8) Configure the FortClient and select the Client certificate for SSLVPN PKI authentication.
Result.