Technical Tip: Resolving smartcard PIN bypass issue with ECC certificates on FortiClient
| Description | This article describes a scenario where FortiClient establishes an IPsec VPN tunnel using an ECC (Elliptic Curve Cryptography) certificate stored on a Smartcard or USB Token without prompting the user for a PIN during subsequent connections.
In this scenario, the first connection prompts for the PIN successfully. However, if the user disconnects and attempts to reconnect while the token remains inserted (or within the cache timeout), the VPN connects automatically without a PIN challenge. This behavior may violate security policies requiring Two-Factor Authentication (2FA) for every session. |
| Scope | FortiGate, FortiClient, IPsec VPN, SmartCard. |
| Solution | The issue is typically caused by the 'Single Logon' or session caching feature enabled by default in the Smartcard middleware (e.g: SafeNet Authentication Client), rather than a malfunction in FortiClient or the FortiGate configuration.
When "Single Logon" is active, the middleware maintains an open session for the token after the initial successful authentication. Consequently, when FortiClient requests access to the private key for the IKE negotiation on subsequent attempts, the middleware authorizes the operation using the cached session instead of invoking the UI prompt for the PIN.
To ensure that the user is prompted for the PIN at every connection attempt, the "Single Logon" feature must be disabled within the SafeNet client configuration.
Steps to disable Single Logon in SafeNet Authentication Client:
Select Save to apply the changes.
|
