Skip to main content
santosp
santosp
Visitor III
July 14, 2022
Question

SSL VPN with Certificate Authentication and 2FA

  • July 14, 2022
  • 2 replies
  • 3457 views

Hi All,

SSL VPN with certificate auth

We have SSL VPN set up with Radius NPS and Azure Authenticator app. There is a need to activate certificate auth to this existing set up. I have read couple of articles and understand that the every user should have a unique cert to distinguish them and a similar config for fortigate to create users. 

 

I am not sure whether we need to add 500 users via cli and match each user certificate. Or is there any better method to do the same.

 

2 replies

jhussain_FTNT
Staff
jhussain_FTNT
Staff
July 15, 2022

Hi,

 

Kindly refer the below document for SSL VPN with remote user authentication with the client certificate.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Combining-remote-user-authentication-and-client/ta-p/192577?externalID=FD47120

 

Regards

Jamal

Debbie_FTNT
Staff & Editor
Debbie_FTNT
Staff & Editor
July 15, 2022

Hey santosp,

I assume you're currently using RADIUS authentication, correct?

From FortiGate side, it's not really possible to add certificate authentication into this without creating local users FortiGate if you want this to be a stringent certificate check.

 

You have a few options:

- adding in one (or more) PKI user as outlined in the KB shared by my colleague Jamal

-> if you make the PKI user vague enough (a generic subject-string that all user certificates will contain), then you would only need one PKI user

-> PKI users can tie back to an LDAP server, but not a RADIUS server

- you can simply enable 'require client-cert' in the VPN settings

-> users would have to present a certificate that FortiGate trusts (signed by a CA FortiGate trusts, essentially), but not necessarily one that is uniquely theirs

- you could switch to IPSec VPN and IKEv2 to introduce EAP authentication and involve certificates that way, but this would be a major redesign

santosp
santospAuthor
Visitor III
July 20, 2022

Thank you Debbie. We want to do Cert+2FA. We have end users machines with intune deployed. Would need to explore if intune certs can be used via Forticlient.
Believe we can uses usernames in the intune presented certs in the subject section of the PKI user right ?  

Terms & ConditionsAccessibility statement