Description
This article describes how to setup SSL VPN with client authentication using certificate and second factor authentication.
Scope
In this scenario, general SSL VPN configuration is setup already.
Related document.
https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/690301/configuring-the-ssl-vpn-tunnel
Solution
1) Install the server certificate. The server certificate is used for authentication and for encrypting SSL VPN traffic.
- Go to System -> Feature Visibility and ensure 'Certificates' is enabled.
- Go to System -> Certificates and select 'Import' -> Local Certificate.
- Set Type to Certificate.
- Choose the Certificate file and the Key file for the certificate, and enter the Password.
- If required, change the 'Certificate Name'.
The server certificate now appears in the list of Certificates.
2) Install the CA certificate.
The CA certificate is the certificate that signed both the server certificate and the user certificate. In this example, it is used to authenticate SSL VPN users.
- Go to System -> Certificates and select 'Import' -> CA Certificate.
- Select Local PC and then select the certificate file.
The CA certificate now appears in the list of External CA Certificates. In this example, it is called CA_Cert_1.
3) Configure PKI users and a user group.
- To use certificate authentication, use the CLI to create PKI users.
# config user peer
edit "pki01"
set ca "CA_Cert_1"
set subject "user"
set two-factor enable <-----
set passwd pa$$word
next
end
- Ensure that the subject matches the name of the user certificate. In this example, user.
- When a PKI user is created, a new menu is added to the GUI.
4) Go to VPN -> SSL-VPN Settings, set 'Server Certificate' to the 'authentication certificate'.
Enable Require Client Certificate.
5) Make sure of the following:
- The username is already added in the group called in SSL VPN settings.
- The username is added in the security policies.
6) To use the user certificate, first install it on the user’s PC.
When the user tries to authenticate, the user certificate is checked against the CA certificate to verify that it matches.
Every user has to have a unique user certificate.
This allows to distinguish each user and revoke a specific user’s certificate, such as if a user no longer has VPN access.
Make sure to add the user certificate in the personal store of the current user.
7) While connecting Forticlient, enable 'Client Certificate' and select the user certificate.
8) To use two factor authentication then select the 'Authentication' option to 'Prompt on login/save login'.
Enable Require Client Certificate.
5) Make sure of the following:
- The username is already added in the group called in SSL VPN settings.
- The username is added in the security policies.
6) To use the user certificate, first install it on the user’s PC.
When the user tries to authenticate, the user certificate is checked against the CA certificate to verify that it matches.
Every user has to have a unique user certificate.
This allows to distinguish each user and revoke a specific user’s certificate, such as if a user no longer has VPN access.
Make sure to add the user certificate in the personal store of the current user.
7) While connecting Forticlient, enable 'Client Certificate' and select the user certificate.
8) To use two factor authentication then select the 'Authentication' option to 'Prompt on login/save login'.
With Two-factor Authentication on FortiClient.
Note.
User will the object name of the PKI-User, in this example it is pki01.
User will the object name of the PKI-User, in this example it is pki01.
