Skip to main content
Y_Spirin
Y_Spirin
New Member
August 11, 2017
Solved

SSL VPN certificate AND username/password authentication

  • August 11, 2017
  • 1 reply
  • 19291 views

Hi!

I'm setting up SSL VPN on FortiGate as described here: http://cookbook.fortinet.com/ssl-vpn-using-ldap-integrated-certificates/. It works but users can connect using just a certificate. To add username/password authentication I've changed VPN usergroup by removing remote LDAP server and adding remote RADIUS server. RADIUS (MS NPS) verifies username/password with ms-chap-v2 in AD, so now it looks like we have certificate + username/password authentication. But here is a situation: User A can use their username/password and User B's certificate and still get successfully authenticated due to the fact that certificate is only checked for validity and trust (issued by same CA). So is it possible to set up SSL VPN with certificate + username/password authentication AND strict checking that certificate CN/UPN matches the username given by user?

 

Thanks for any clues.

Best answer by Y_Spirin

Hi! Here's the part of config. We're setting up RADIUS server, LDAP server, peer user and finally the user group which combines authentication by LDAP certificate and RADIUS name/password. ------------------------------------- config user radius   edit "DCSRV.RADIUS"     set server "10.1.1.1"     set secret ENC ****

    set auth-type ms_chap_v2   next end config user ldap   edit "DCSRV.ldap"     set server "10.1.1.1"     set cnid "userPrincipalName"     set dn "dc=company,dc=local"     set type regular     set username "fortigate_ldap"     set password ENC ****     set secure ldaps     set ca-cert "CA_Cert_1"     set port 636   next end

config user peer   edit "LDAP.certificate.check"     set ca "CA_Cert_1"     set ldap-server "DCSRV.ldap"     set ldap-mode principal-name   next end config user group

  edit "G.VPN.Admins"     set member "DCSRV.RADIUS" "LDAP.certificate.check" <-- LDAP.certificate.check is peer user from above     config match       edit 1         set server-name "DCSRV.RADIUS"         set group-name "SSL_VPN_Admins" <-- See below about SSL_VPN_Admins       next     end   next

end -------------------------------------

My RADIUS server is Microsoft NPS. Check this article for NPS setup guidance http://cookbook.fortinet.com/ssl-vpn-radius-authentication/. So what happens when VPN user tries to authenticate? First, Fortigate checks if the certificate passed by user is trusted (issued by Root CA which is identified by CA_Cert_1 certificate). Then user's name and password are passed to NPS which checks by Network Policies if these credentials belong to specific AD group. If they do then NPS answers to Fortigate with permission and sends the group name string which set up in policy's custom attribute. Fortigate checks if this group name equals to string which is in "set group-name" config. If it is a match then Fortigate successfully authenticates the user.

 

Feel free to ask questions about this config. I'll be glad to help.

 

Regards,

Yuri

1 reply

yesh
yesh
New Member
September 26, 2017

Hi,

How did you achieve this?

I have a very similar setup but connects with client certificate when no username/password is given. I have added Radius as a the remote auth server still it does not go to user authentication at all. 

 

Thanks

Yesh

Y_Spirin
Y_SpirinAuthorAnswer
New Member
September 26, 2017

Hi! Here's the part of config. We're setting up RADIUS server, LDAP server, peer user and finally the user group which combines authentication by LDAP certificate and RADIUS name/password. ------------------------------------- config user radius   edit "DCSRV.RADIUS"     set server "10.1.1.1"     set secret ENC ****

    set auth-type ms_chap_v2   next end config user ldap   edit "DCSRV.ldap"     set server "10.1.1.1"     set cnid "userPrincipalName"     set dn "dc=company,dc=local"     set type regular     set username "fortigate_ldap"     set password ENC ****     set secure ldaps     set ca-cert "CA_Cert_1"     set port 636   next end

config user peer   edit "LDAP.certificate.check"     set ca "CA_Cert_1"     set ldap-server "DCSRV.ldap"     set ldap-mode principal-name   next end config user group

  edit "G.VPN.Admins"     set member "DCSRV.RADIUS" "LDAP.certificate.check" <-- LDAP.certificate.check is peer user from above     config match       edit 1         set server-name "DCSRV.RADIUS"         set group-name "SSL_VPN_Admins" <-- See below about SSL_VPN_Admins       next     end   next

end -------------------------------------

My RADIUS server is Microsoft NPS. Check this article for NPS setup guidance http://cookbook.fortinet.com/ssl-vpn-radius-authentication/. So what happens when VPN user tries to authenticate? First, Fortigate checks if the certificate passed by user is trusted (issued by Root CA which is identified by CA_Cert_1 certificate). Then user's name and password are passed to NPS which checks by Network Policies if these credentials belong to specific AD group. If they do then NPS answers to Fortigate with permission and sends the group name string which set up in policy's custom attribute. Fortigate checks if this group name equals to string which is in "set group-name" config. If it is a match then Fortigate successfully authenticates the user.

 

Feel free to ask questions about this config. I'll be glad to help.

 

Regards,

Yuri

yesh
yesh
New Member
September 26, 2017

Thanks for sharing the details. 

Terms & ConditionsAccessibility statement