Skip to main content
tanr
tanr
New Member
November 29, 2017
Question

Dialup VPN to FortiGate with Certificate Authentication AND Two-Factor FortiToken?

  • November 29, 2017
  • 1 reply
  • 6805 views

Hi All,

 

I finally have to add support for dialup VPN to our two locations, which already have a stable IPsec VPN connection with static IPs.  Although initially I'll only need a single dialup user, by next year I'll have multiple users with different access rights.  I'm looking for some pointers on how to proceed before I go too far down the wrong path.

 

Current equipment versions:

FortiGates 5.4.6

FortiAuthenticator 5.1.2

FortiClient 5.4.4 or 5.6.2 VPN client only (or other VPN client)

 

I would like to set up the dialup VPN to use certificate authentication for the connection, then require a username, password, and two-factor (FortiToken) authentication.  Though I'd prefer to do IPsec VPN, this could be SSL VPN if needed.  I can use FortiClient as the VPN client if needed, though I'm open to other possible clients (especially if they support IKEv2).

 

The user auth with passwords and FortiTokens can be done as part of a RADIUS group handled by the FAC, or (since we're small) by the FortiGate itself.

 

My questions and concerns are because I have not been able to find any full example of how to do this, though separate pieces are mentioned in many different places.  Some of what I've researched is below. 

 

So, any suggestions?  Anybody have something similar set up?

 

Comments after cookbook article below imply this might be possible, but a solution wasn't found.

http://cookbook.fortinet.com/ssl-vpn-with-certificate-authentication/ 

Documentation example has the PKI being the only authentication used. http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-authentication-54/Certificates.htm#Config_cert_based_auth  Discussion implies this is possible with LDAP RADIUS, but I'm unsure how to translate this to FAC. https://forum.fortinet.com/tm.aspx?m=151607 

SSL VPN example uses RADIUS but without certificate. http://cookbook.fortinet.com/ssl-vpn-radius-authentication/  https://travelingpacket.com/2016/01/26/fortigate-radius-group-authentication/ 

 

Thanks!

    1 reply

    emnoc
    emnoc
    New Member
    November 29, 2017

    I would do it in micro-steps

     

    1: enable certificae 1st  and work thru any issues

     

    2: than enable the MFA  part which cookbooks exist for both

     

     

    tanr
    tanrAuthor
    New Member
    November 29, 2017

    Small steps is the plan. 

    I was hoping, though, that someone could say that they've successfully made these steps and gotten the combined VPN w/ certs + MFA to work first!  Especially since the comments from the first link above says that even working with a Fortinet Partner they weren't able to get it working.

     

    If anybody can recommend using the VPN client from FortiClient 5.6.2 or 5.4.4 (on Windows 10) that would also be helpful.

    emnoc
    emnoc
    New Member
    November 29, 2017

    I would go with   the latest , as far as doing it. Numerous others have setup certifcate with  SSLVPN and forticlient.

     

    Fortitoken  activate is trivial  and should not need that much explanations.

     

    Terms & ConditionsAccessibility statement