Skip to main content
Adrianoebm
Adrianoebm
Explorer
May 26, 2022
Solved

VPN Client to Site question.

  • May 26, 2022
  • 3 replies
  • 2695 views

Hello.

We had recently a security breach in our company (a user breach), the user shared his credentials to another user who access the LAN during vacation.

The user logged using a cached user then connect to the vpn using a friend credentials.

Is there a way to avoid this?

I mean forced a Forticlient login to a specific computer, if it doen´t match drop the connection.

In Windows i did that using Active Directory but it don´t apply the rule to the vpn.

Thank you.

Best answer by Adrianoebm

Thanks for answering.

I found this tutorial using SSL certificates, it will help.

Our vpn client-to-site isn´t SSL but IPSEC.

I´m not the administrator of the Fortigate, he told me that was impossible to do it.

I did the same scheme i need using PfSense (I´m the admin) and it worked very well.

This is the tutorial, thank you.

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/751987/ssl-vpn-with-ldap-integrated-certificate-authentication

 

3 replies

pminarik
Staff
pminarik
Staff
May 26, 2022

If the intended user was willing to give out their laptop and credentials (and any other relevant passwords), then there's very little you can do with this IT-wise.

2FA could be implemented, but what's stopping the user for giving their 2FA token to the other person as well? What you are dealing with is pretty much a perfect and thorough, and voluntary, identity theft, at least as far as logins are concerned.

 

Implementing biometrics into the login flow might be the solution for you. For example a biometric FIDO2 token. Fortinet does not currently offer any biometric tokens, so you would have to handle this through some third party. (and you would also first need to make sure that your new method is supported by FortiClient)

    Adrianoebm
    AdrianoebmAuthorAnswer
    Explorer
    May 26, 2022

    Thanks for answering.

    I found this tutorial using SSL certificates, it will help.

    Our vpn client-to-site isn´t SSL but IPSEC.

    I´m not the administrator of the Fortigate, he told me that was impossible to do it.

    I did the same scheme i need using PfSense (I´m the admin) and it worked very well.

    This is the tutorial, thank you.

    https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/751987/ssl-vpn-with-ldap-integrated-certificate-authentication

     

    pminarik
    Staff
    pminarik
    Staff
    May 26, 2022

    Perhaps the initial question needs to be re-phrased, because I understood it as the "other user" used the original user's computer as well. (potentially implied by "user logged using a cached user")

    If this is correct, then client-certificates will not help as they will be in the original user's computer that is being handed out to the "other user".

     

    If I misunderstood and the "other user" used a different/their own computer, then client certificates could work. This would have to be implemented as IKEv1 with certificate authentication + XAUTH. (IKEv2 cannot be configured to do both client-certificate and client-credentials verification)

    Do note that this approach is usually for preventing non-company devices from connecting. Client-certificates and client-username&password are validated independently, so if the "other user" used their own company-issued computer with their own certificate, that would not stop them from using the original user's credentials for the XAUTH phase.

    Adrianoebm
    AdrianoebmAuthor
    Explorer
    June 2, 2022

    Hello there, let me explain it correctly.

    User A was in Vacation, account has been blocked using active directory. 

    User B shared their forticlient credentials by phone to user A who logged in Windows using a cached password then connect to the VPN using user B credentials.

    My idea is to force them to only connect to the VPN using their own company devices.

    I know how to do it in PfSense using (user Certificates / Auth) but in this Fortigate 100E i don´t, our VPN has been configured (not by me) as VPN-IPSEC instead of SSL-VPN, assuming SSL works i will must configure all from scratch.

    Thank you.

     

    seshuganesh
    Staff
    seshuganesh
    Staff
    May 26, 2022

    Hi Team,

     

    You can use this article for the same:

    https://community.fortinet.com/t5/FortiGate/Technical-Tip-MAC-host-check-on-SSL-VPN/ta-p/194337

    https://docs.fortinet.com/document/fortigate/7.2.0/administration-guide/32970/configuring-os-and-host-check

    But it requires license

    https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/60d49634-161e-11ea-9384-00505692583a/forticlient-6.2.3-macos-release-notes.pdf

    For the latest versions

    FortiClient 6.2.0, FortiClient EMS 6.2.0, and FortiOS 6.2.0 introduce a new licensing structure for managing
    endpoints running FortiClient 6.2.0+. See Upgrading from previous FortiClient versions on page 7 for more
    information on how the licensing changes upon upgrade to 6.2.0+. Fortinet no longer offers a free trial license
    for ten connected FortiClient endpoints on any FortiGate model running FortiOS 6.2.0+. EMS 6.2.3 supports a
    30-day trial license with ten FortiClient seats.

      Terms & ConditionsAccessibility statement