Technical Tip: Behavior of the FortiGate when client certificate authentication is enabled in SSL VPN

smaruvala · ‎01-27-2025

Description

This article explains FortiGate's behavior when the SSL client certificate authentication is enabled in the SSL VPN

Scope

FortiGate SSL VPN.

Solution

FortiGate supports client certificate authentication in its SSL VPN deployment. Administrators can enable this setting in the authentication rule in the SSL VPN settings.
In the authentication rule in SSL VPN setting the administrator can configure multiple rules. If any one rule is configured with the client certificate authentication then FortiGate will send the SSL Certificate request packets to the client irrespective of the client certificate support configuration in the portal. The FortiGate will have the user information and portal which will be mapped until the SSL handshakes are completed.
During the SSL handshake even though the FortiGate sends the client certificate request it is not fatal if the user machine does not send the certificate. Once the user gets authenticated FortiGate will check the group and associated authentication rule. If the rule requires certificate authentication, then FortiGate will disconnect the SSL VPN connection if the client certificate is not sent during the initial handshake. If the authentication rule does not require a certificate authentication then FortiGate will establish the SSLVPN without the certificate authentication.
For example below is a SSL VPN setting in FortiGate with 2 authentication rules. The group 'local-without-client-cert' does not need a certificate authentication but the group 'local-client_cert' needs the certificate authentication.

config vpn ssl settings
set banned-cipher SHA1 SHA256 SHA384
set servercert "Fortinet_Factory"
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set source-interface "port2"
set source-address "all"
set source-address6 "all"
set default-portal "full-access"
config authentication-rule
edit 1
set groups "local-without-client-cert"
set portal "tunnel-access"
next
edit 3
set groups "local-client_cert"
set portal "tunnel-access"
set client-cert enable ----> Client certificate authentication enabled
next
end

SSL VPN debug on the FortiGate shows that FortiGate sends the client certificate request packet. Below is an example of the debug:

2025-01-27 20:23:40 [2030:root:20]SSL state:before SSL initialization (10.40.18.198)
2025-01-27 20:23:40 [2030:root:20]SSL state:before SSL initialization (10.40.18.198)
2025-01-27 20:23:40 [2030:root:20]no SNI received
2025-01-27 20:23:40 [2030:root:20]client cert requirement: yes ---> Client certificate authentication flag is set
2025-01-27 20:23:40 [2030:root:20]SSL state:SSLv3/TLS read client hello (10.40.18.198)
2025-01-27 20:23:40 [2030:root:20]SSL state:SSLv3/TLS write server hello (10.40.18.198)
2025-01-27 20:23:40 [2030:root:20]SSL state:SSLv3/TLS write certificate (10.40.18.198)
2025-01-27 20:23:40 [2030:root:20]SSL state:SSLv3/TLS write key exchange (10.40.18.198)
2025-01-27 20:23:40 [2030:root:20]SSL state:SSLv3/TLS write certificate request (10.40.18.198) ---> FortiGate sending the client certificate request packet
2025-01-27 20:23:40 [2030:root:20]SSL state:SSLv3/TLS write server done (10.40.18.198)
2025-01-27 20:23:40 [2030:root:20]SSL state:SSLv3/TLS write server done:(null)(10.40.18.198)
2025-01-27 20:23:40 [2030:root:20]SSL state:SSLv3/TLS write server done (10.40.18.198)
2025-01-27 20:23:40 [2030:root:20]SSL state:SSLv3/TLS read client certificate (10.40.18.198)
2025-01-27 20:23:40 [2030:root:20]SSL state:SSLv3/TLS read client key exchange (10.40.18.198)
2025-01-27 20:23:40 [2030:root:20]SSL state:SSLv3/TLS read change cipher spec (10.40.18.198)
2025-01-27 20:23:40 [2030:root:20]SSL state:SSLv3/TLS read finished (10.40.18.198)
2025-01-27 20:23:40 [2030:root:20]SSL state:SSLv3/TLS write session ticket (10.40.18.198)
2025-01-27 20:23:40 [2030:root:20]SSL state:SSLv3/TLS write change cipher spec (10.40.18.198)
2025-01-27 20:23:40 [2030:root:20]SSL state:SSLv3/TLS write finished (10.40.18.198)
2025-01-27 20:23:40 [2030:root:20]SSL state:SSL negotiation finished successfully (10.40.18.198)
2025-01-27 20:23:40 [2030:root:20]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
2025-01-27 20:23:40 [2030:root:20]No client certificate
2025-01-27 20:23:40 [2030:root:20]req: /remote/info
2025-01-27 20:23:40 [2030:root:20]capability flags: 0x1cdf
2025-01-27 20:23:40 [2030:root:20]req: /remote/login

Once the authentication is completed FortiGate will check which authentication rule it matches verify the client certificate authentication requirement and take the required action. The example debug shows that the user is part of the group that is mapped to the port that needs the client certificate authentication. As there was no client certificate provided, it disconnected the SSL VPN.

2025-01-27 20:23:40 [2030:root:20]fam_auth_send_req_internal:568 found node local-client_cert:0:, valid:1, auth:0
2025-01-27 20:23:40 [2030:root:20]Validated: auth_rsp_data.grp_list[0] = local-client_cert
2025-01-27 20:23:40 [2030:root:20][fam_auth_send_req_internal:658] The user sample is authenticated.
2025-01-27 20:23:40 [2030:root:20]fam_do_cb:683 fnbamd return auth success.
2025-01-27 20:23:40 [2030:root:20]Require client certificate for sample
2025-01-27 20:23:40 [2030:root:20]login_failed:405 user[sample],auth_type=1 failed [sslvpn_login_cert_checked_error]

Technical Tip: Behavior of the FortiGate when client certificate authentication is enabled in SSL VPN

You are leaving our website