Skip to main content
zoriax
zoriax
New Member
April 11, 2022
Solved

FortiAuthenticator SSL Certificate and VPN Machine

  • April 11, 2022
  • 6 replies
  • 8469 views

Hi everyone ! 

 

I need your help. I'm a bit confuse how to correctly configure FortiAuthenticator to validate SSL VPN Connections with machine (computers) SSL Certifacte. 

 

I tried a lot of options but nothing work, so I'm sure someone can help me :)

 

The workflow is this one : 

- Computer is AD join with a valid CA certificate, for example : pc1.mydomain.local

- ForitAuth is correctly configured and I can sync my computer.

- I configured RADIUS with "Windows AD computer authentication"

 

Now, what are the correct options to tell FortiGate to user computer certificate to validate the connection (if it's possible) ?


Thanks

Best answer by pminarik

Do you expect to be prompted for a certificate in that case?

 

If not, you may have misconfigured the groups/mappings in SSL-VPN settings.

 

If yes, then perhaps the certificate verification is failing. You could try running fnbamd debug to find out what the result of the validation is:

 

diag debug reset diag debug console timestamp enable diag debug app fnbamd -1 diag debug enable  → try to connect now  diag debug disable

 

The fnbamd process may be doing other checks in the meantime, so it if starts showing more outputs, don't be scared. :)

 

There is also a chance that you might not have access to the private key, if this is a machine certificate, as you suggested in your initial post. Make sure you do have this sorted out. (KB on how to do this in Windows natively)

6 replies

zoriax
zoriaxAuthor
New Member
April 11, 2022

I'm sure it's possible to "login" with a computer certificate to FortiGate SSL VPN but how can I do that with FortiAuthenticator ? 

I can't find any documentation about how to configure the devices to do that

zoriax
zoriaxAuthor
New Member
April 11, 2022

I followd this config  : https://docs.fortinet.com/document/fortiauthenticator/6.4.0/cookbook/3965/computer-authentication-using-fortiauthenticator-with-ms-ad-root-ca

 

But should I used it for SSL VPN ?

pminarik
Staff
pminarik
Staff
April 14, 2022

When authenticating to SSL-VPN with a certificate, the certificate validation is always done by the FortiGate itself. It is never delegated to any other device (not even the FortiAuthenticator).

 

EAP-TLS (wifi WPA-Enterprise, switch dot1x, or IKEv2-EAP) would be a very specific exception, but it is not relevant here, since SSL-VPN does not support EAP.

 

So you should be able to make this work with "the usual" setup. The basic barebones configuration would consist of:

 

1, Import the CA chain which issues the machine certificates in your domain (presumably the Enterprise PKI root CA cert): System > Certificates > Import > CA

 

2, Create a "peer user" to match this CA:

 

config user peer     edit "my_domain_peers"         set ca "<the CA you imported in step 1>"         # set subject "some specific subject" # these two lines are optional, to further restrict which certificates can match this peer object         # set CN "some specific CN"     next end

 


3, Place the peer in a user group:

 

config user group     edit "my_certificate_group"         set member "my_domain_peers"     next end

 

 

4, You can now use this "user group" in your VPN portal mappings and firewall policies for SSL-VPN.

 

The result should be that clients authenticating purely with the matching certificate will be allowed to connect.

 

As a side-note: Be aware that regular users by default do not have access to the key of a machine certificate, which will prevent them from using it to authenticate to SSL-VPN.

 

You can work around this by giving regular users the permission to read the machine cert's private key in the OS itself, or you can use FortiClient's XML option `<allow_standard_user_use_system_cert>` (doc reference)

 

addendum: While the above is my "retelling of the story", there is also an official document on how to set up the same baseline configuration, available here . (my only comment to that would be that the lines `set two-factor enable` and `set password ...` are optional)

zoriax
zoriaxAuthor
New Member
April 14, 2022

Hello,

 

Ok it's what I have done on my FortiGate. Just one question can I use two different server certifiate ? 

 

What I wanted is to use a "public" certificate for my user (without client certificate) and a domain certificate for my computers (with client certificate)

pminarik
Staff
pminarik
Staff
April 14, 2022

Hi,

 

The FortiGate itself can only use one certificate to identify itself as the VPN server. This is the "Server Certificate" selected in the general "SSL-VPN Settings" section.

 

The connecting clients can use certificates issued by different CAs with no issue. You simply need to re-do the same steps (import the second CA, create peer-object for it, add it to a new group or to the same group) for each new CA/peer.

 

If you're planning to let some users connect without a certificate (this is how I understood your reply), be aware that if using the browser to connect to the web-mode SSL-VPN, you may be prompted by the browser to select a certificate for authentication. If you are planning to authenticate as the user permitted to log in without a certificate, you should be able to simply ignore this prompt and then proceed to successfully authenticate with just username+password.

zoriax
zoriaxAuthor
New Member
April 14, 2022

Ok so according to the documentation and your return, I must set option 

 

set reqclientcert enable

 

This information is missign in Forit doc... And in authentication-rule, should I set 

 

 config authentication-rule         edit 2             set groups "TEST"             set portal "WEB"             set client-cert enable         next     end

 

With these otions my FortiClient prompt a warning message and tells me that the server require a certificate (and my certificate is selected).... I don't understand where is the error.

 

Thanks

 

pminarik
Staff
pminarik
Staff
April 14, 2022

This is not necessarily correct. Let me clarify:

 

`set reqclientcert enable`: This enforces a requirement for all clients (no exceptions!) to present a trusted certificate when connecting to SSL-VPN. You do not need to enable this.

 

`set client-cert enable`: This is similar as the option above, but the requirement is narrowed down to the group specified in the portal mapping rule. If a user is matched to this group during authentication, and if they did not provide a valid certificate, they will be rejected.

This can be further improved by specifying `set user-peer <peer-object>` to declare that "this group must provide a certificate that matches this specific peer".

 

If you specify the setup as I have outlined - using the group with a peer-member in the portal mapping directly (`set groups "my_certificate_group"`, referring back to the example object I described in my first reply) - then in this case you do not need to enable any option to require a certificate (requclientcert, or client-cert). The mechanism is triggered automatically, and incoming connections will be asked for a certificate.

 

You can have a mixture of "certificate only", "certificate + username+password", and "username+password-only" working at the same time, the only trick is setting the configuration correctly to align with the desired flow.

zoriax
zoriaxAuthor
New Member
April 14, 2022

Ok thanks ! I understand. The last problem I have is with my certificate. My Forticlient prompt a warning message and tells me that the server require a certificate (and my certificate is correct).

zoriax
zoriaxAuthor
New Member
April 14, 2022

My log is full of

Action	ssl-exit-error Reason	DH lib
Terms & ConditionsAccessibility statement