FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
sthapa
Staff
Staff
Article Id 192583
Description
This article describes SSL VPN PKI user based authentication with FortiAuthenticator as Local CA authority.

Solution
The FortiOS supports PKI user for SSL VPN authentication as standalone authentication or with two factor authentication.

The following certificates has been used for this authentication which we have generated from FortiAuthenticator.

- Intermediate CA Certificate.
- Root CA certificate.
- User certificate.

1) Create above certificate from the FortiAuthenticator, Go to Certificate -> Management -> Certificate Authorities -> Root CA.





2) Create Intermediate CA Certificate from the FortiAuthenticator, Go to Certificate Management -> Certificate Authorities -> Intermediate CA.

Select Certificate authority as Root CA which we had configured on previous setup.




3) 3) Create user Certificate from the FortiAuthenticator, Go to Certificate Management -> End Entities -> Create New User Certificate.

- Select the intermediate CA certificate which we had configured on 2).
- Configure the certificate Subject Alternative Name which use in FortiGate to validate the Client certificate against the FortiGate PKI user.





4) Export root CA, Intermediate CA and client certificate from the FortiAuthenticator.

5) Import root CA and Intermediate CA certificate in the FortiGate  to trust the client certificate.

To import Intermediate CA certificate in the FortiGate, Go to System -> Certificates -> Import -> Local CA -> PKCS # 12 Certificate and select 'Key' file and password.





To import CA certificate in the FortiGate, Go to System -> Certificates -> Import -> CA Certificate -> File.




6) Create PKI users and group for SSL VPN authentication.
# config user peer
    edit "user1"
        set ca "CA_Cert_1"             <----- { Select the root CA certificate }.
        set subject "user1@gmail.com"  <-----{ Subject should match the user certificate}.
    next
end
Add the PKI users to PKI groups.
# config user group
    edit "SSL_PKI"
        set member "user1"
    next
end
Then map the above group in the SSL VPN authentication rule.

7) Then import the Client and Root CA certificate in the client machine.

- Import Root CA Certificate under 'Trusted root Certificate Authority'.
- Import Client certificate under 'Personal' folder.

8) Configure the FortClient and select the Client certificate for SSLVPN PKI authentication.





Result.



Contributors