Skip to main content
gpinero
gpinero
New Member
May 29, 2020
Solved

VPNSSL: Two factor LDAP + Certificate

  • May 29, 2020
  • 2 replies
  • 9987 views

Is possible to do it in VPNSSL? Client certificate plus LDAP username and password for authentication.

 

And a bit more complex, Cliente certificate match UPN with LDAP username. Cliente certificate is only valid for the user that is trying to authenticate throught VPN.

 

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/751987/ssl-vpn-with-ldap-integrated-certificate-authentication

 

Thanks

 

    Best answer by gpinero

    Hi, yes... you can check this post for 2FA using PI

    https://www.error509.com/2020/05/fortigate-2fa-con-freeradius-y-privacyidea/

     

    About UPN and check thin in user certificate is not possible with Fortigate, unless you manually enter all the users into Fortigate (as user peer how enmoc said) , which is not highly recommended if you're using LDAP.

     

     

    2 replies

    emnoc
    emnoc
    New Member
    May 29, 2020

    Yes you could do that, the two are mutually linked tho. The certificate is validated by your auth-rule and the remote-auth LDAP in your case would look at the user+password.

     

    You can even do cert+remote-auth+otp if you want ( example using duo for the otp ) 

     

    http://socpuppet.blogspot.com/2017/04/securing-fortigate-sslvpn-with-mfa-by.html

     

    Basically that above eliminates fortitoken. So if you have a mfa platform like DUO you do NOT need to add additional by maintaining fortitoken,

     

    Ken Felix

     

    gpinero
    gpineroAuthor
    New Member
    May 29, 2020

    Hi , enmoc

      I have PrivacyIDEA +TOTP working without issues for tunnel mode but now  I'd like to achieve client cert + active directory auth (LDAP) 2 factor only for Web mode.   In summary I have two scenarios:   1- One realm /corp using PrivacyIDEA with LDAP auth + TOTP. Using Radius as auth server (PI)   2- Default realm / auth using cert + LDAP but not working using this guide   https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/751987/ssl-vpn-with-ldap-integrated-certificate-authentication    As you said, with this guide I can check that client cert is valid only for this user (UserPrincipalName) right?   What is the second factor applied here? LDAP user+password? My problem is that user with valid certificate can login to SSLVPN portal only with certificate, login password is never prompted.   Thanks for you help. Best regards.
    emnoc
    emnoc
    New Member
    May 29, 2020

    How is your auth-rule define per each realm? I would also do the "diag debug sslvpn" and review the messages to see what and if any errors. If you do use peer or peergroups  that would also being good

     

    Can you dump the subject line of one the user-certificates so we can see the structure ( just sanitize it )

     

    Ken Felix

     

    Woodsy1976
    Woodsy1976
    New Member
    July 29, 2020

    @gpinero

    Did you manage to get this working in your environment?

     

    Thanks

     

     

    gpinero
    gpineroAuthorAnswer
    New Member
    July 29, 2020

    Hi, yes... you can check this post for 2FA using PI

    https://www.error509.com/2020/05/fortigate-2fa-con-freeradius-y-privacyidea/

     

    About UPN and check thin in user certificate is not possible with Fortigate, unless you manually enter all the users into Fortigate (as user peer how enmoc said) , which is not highly recommended if you're using LDAP.

     

     

    Woodsy1976
    Woodsy1976
    New Member
    July 29, 2020

    @gponero

    Thanks for the information.

    Terms & ConditionsAccessibility statement