Technical Tip: How to configure SSL VPN with LDAP-integrated certificate authentication using CN field as user name

Refer to Technical Tip: How to configure SSL VPN with LDAP-integrated certificate authentication with UPN checking.

Everything is the same except that the client certificate's Subject CN is the user name in the LDAP server.

1. Configure the LDAP server.

config user ldap
    edit "myLDAP"
        set server "10.0.0.1"
        set cnid "sAMAccountName"
        set dn "cn=users,dc=example_domain,dc=com"
        set type regular

        set username "example_domain\\administrator"

        set password [example_password]

        set account-key-cert-field cn
      set account-key-filter "(&(sAMAccountName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(!(objectClass=computer)))"
    next
end

2. Configure the PKI user. 

config user peer
    edit "PKI_1"
        set ca "CA_Cert_2"
        set mfa-mode subject-identity
        set mfa-server "myLDAP"
    next
end

3. Configure User Group.

config user group
    edit "windowsLDAP"
        set member "myLDAP" "PKI_1"
            config match
                edit 1
                    set server-name "myLDAP"
                    set group-name "CN=sslvpn group,CN=Users,DC=example_domain,DC=local"
                next
            end
        next
    end

Note: Starting in FortiOS v7.6.3, the SSL VPN tunnel mode feature is replaced with IPsec VPN, which can be configured to use TCP port 443. SSL VPN tunnel mode is no longer available in the GUI and CLI. Settings will not be upgraded from previous versions. This applies to all FortiGate models.

Refer to this document: SSL VPN tunnel mode replaced with IPsec VPN.

This guide provides detailed information regarding the migration process: Migration from SSL VPN tunnel mode to IPsec VPN.