Skip to main content
Andizer
Andizer
Explorer II
March 28, 2024
Question

SSL VPN Settings Client Certificate

  • March 28, 2024
  • 3 replies
  • 1573 views

Hello,

 

i want to use LDAP + Client Certificate for my SSL VPN.

We use like 20 SSL VPN Portals.

 

Do I understand correctly that I can either use certificate authentication for everyone or none. I only want to use it for certain portals ?

Thanks

3 replies

johnathan
Staff
johnathan
Staff
March 28, 2024

This is possible. You have the option to apply it to the Group - Portal mapping.
See this document: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-SSL-VPN-client-certificate/ta-p/255402

Never trust a computer you can't throw out a window.
    Sheikh
    Staff
    Sheikh
    Staff
    March 28, 2024

    Hello @Andizer ,

     

    This admin guide might also help you.
    https://docs.fortinet.com/document/fortigate/7.0.14/administration-guide/751987/ssl-vpn-with-ldap-integrated-certificate-authentication

     

    regards,

     

    Sheikh

      Andizer
      AndizerAuthor
      Explorer II
      March 29, 2024

      That was very helpful, thank you.

      However, I have a small problem.
      If I remove the user peer, pretty much any certificate that Fortigate can cross-check is allowed.

      Now I only want to allow certificates from a specific CA.

       

      edit 13
      set groups "vpn_user_systems_admin-2fa"
      set portal "bbw-systems_admin-2fa"
      set client-cert enable
      set user-peer "CA_Cert_3"
      next
      end

       

      While using the user-peer, i cant connect anymore.

      config user peer
      edit "CA_Cert_3"
      set ca "CA_Cert_3"
      next
      end

       

      I am sure i am missing something.

      Additional question can i set a wildcard "set cn .company.de" like that ?


      *Certificate selection looks fine inside of my forticlient

       

       

      Thanks

       

      Terms & ConditionsAccessibility statement