Skip to main content
bmeta
Staff & Editor
bmeta
Staff & Editor
May 7, 2020

Technical Tip: PKI user with two factor authentication for SSL VPN

  • May 7, 2020
  • 0 replies
  • 13696 views

Description

 

This article describes how to authenticate PKI users on FortiGate via SSL VPN using two-factor authentication with a certificate.
The existing SSLVPN policies need to be adapted in case new groups are added in this setup.
In general, a CA certificate is needed which sign user certificates that the users can use to authenticate themselves against other entities.
Those client certificates will also be used in this article.

 

Scope

 

FortiGate.

Solution

 

  • Set up the PKI for this first.
  • Import the user's CA Certificate to the FortiGate by going to System -> Certificate -> Import CA Certificate (.crt).

 
On the client side.
 
  • Import the user's certificate signed by the trusted CA with private key and certificate (BOTH are required!) to the client: either on the browser's Privacy & Security section or the Windows 'Certificate Store' to be accessed by other applications as the FortiClient.
  • Private key and certificate file can either be in a bundled file as PKCS#12 file (.p12) or as separate .cer/.crt and .key file.

From the GUI, under SSL VPN settings.
Eventually, change the server Certificate and select a certificate with the subject as the FortiGate FQDN that clients access for VPN, ideally another one signed by a CA that the connecting client is trusting.
 
Otherwise, the user receives warnings about an invalid server certificate.
Enable require client certificate (radio button in green).
 
 
Create a PKI user from the CLI.
 
config user peer
    edit "pki_user"
        set ca "CA_Cert_1"
        set subject "CN = student"
        set two-factor enable
        set passwd Pa$$w0rd
    next
end
 
Then the section 'PKI' for the certificate users will appear in the GUI under User & Device -> PKI (after refreshing the GUI).
Note:
In the 'set subject field' enter the exact name (CN) that is displayed in the user certificate, it can be very different from this example.
 
SSL VPN Group.
 
Add the created PKI user to the SSLVPN group under User & Device -> User Group.
 

 
 
Now test the connection with the browser connection for web mode or the FortiClient for tunnel mode.
Authenticate the remote user, using FortiClient (PKI user with password and certificate):
 
 
 
 
To verify, enable the debug log from the CLI while connecting:
 
diagnose debug console timestamp enable
diagnose debug application fnbamd -1
diagnose debug application sslvpn -1
diagnose debug enable

2020-05-06 10:13:28 [1250] __fnbamd_build_cert_chain-Chain is complete.

2020-05-06 10:13:28 [1460] peer_subject_cn_check-Cert subject 'CN = student'

2020-05-06 10:13:28 local auth is done with user 'pki_user', ret=0

 

Note:

 SSL VPN certificate matching is handled by the fnbamd daemon, which uses the settings defined under 'config vpn certificate  setting'specifically 'subject-match' and 'cn-match' to perform validation.

 

Related articles:

Technical Tip: PKI peer user creation for certificate authentication

Technical Tip: Configure admin certificate authentication

Terms & ConditionsAccessibility statement