Technical Tip: Combining remote user authentication and client certificates in SSL VPN

Debbie_FTNT · ‎12-02-2019

Description

This article describes how to set up RADIUS authentication in addition to requiring client certificates for SSL VPN authentication.

Fortinet Documentation:
SSL VPN authentication

Scope

FortiGate v6.2.2 and higher.

Solution

Combining RADIUS/LDAP authentication and requiring specific client certificates for SSL VPN is possible.
FortiGate can now (starting firmware 6.2.2) combine 'user peer' (required to specify what certificates match) and 'user LDAP/user RADIUS' and require login attempts to match both.

To achieve this, follow the steps below:

User peer for certificate matching.

config user peer
edit "cert-user"
set ca "CA_1"
set subject "OU = your_org"
next
end

RADIUS (or LDAP) server.

config user radius
edit "Radius"
set server "10.0.0.1"
set secret ENC XXXX
next
end

config user ldap
edit "LDAP"
set server "10.0.0.2"
set dn "OU=your_org,DC=domain,DC=org"
set type regular
set user "CN=admin,OU=your_org,DC=domain,DC=org"
set password ENC XXX
next
end

User group.

config user group
edit "radius-group"
set member "Radius"
config match
edit 1
set server-name "Radius"
set group-name "VPN-test"
end
next
edit "ldap-group"
set member "LDAP"
next
[...]
end

VPN SSL settings.

config vpn ssl setting
set reqclientcert enable
set user-peer "cert-user"
set servercert "vpn-server-cert"
set tunnel-ip-pools "tunnel-ip-pool"
set port 443
set source-interface "wan1"
set source-address all
set default-portal "tunnel-access"
config authentication-rule
edit 1
set group "radius-group"
set client-cert enable
set user-peer "cert-user"
next
edit 2
[...]
end
end

Advanced Setup: Mixing authentication with and without certificate requirements.

Allowing both authentication with and without user certificates in the same general SSL VPN setup becomes a bit more complicated due to the order FortiGate applies to check certificates and match against realms.
This requires at least two SSL VPN realms and a DNS record for each realm, all resolving to the SSL VPN interface IP.

Two DNS A-records, cert.forti.lab and nocert.forti.lab resolving to FortiGate VPN interface IP (such as wan1 IP).
Two VPN realms match the DNS records.

config vpn ssl web realm

edit realm-1
set virtual-host "cert.forti.lab"
next
edit realm-2
set virtual-host "nocert.forti.lab"
next
[...]
end

FortiGate server certificate must be wildcard (*.forti.lab) or include the two DNS records above as Subject Alternative Name (SAN) entries.
Each realm needs to match an authentication rule:

config vpn ssl setting

config authentication rule
edit 1
set realm realm-1
next
edit 2
set realm realm-2
next
[...]
end
end

The Server Name Indication (SNI) attributes in the TLS handshake will allow the FortiGate to match the correct authentication rule at the beginning and require certificates accordingly.

Careful:

In v6.2, if the above is not configured, FortiGate may fall-through to authentication rules that do not require client certificates.
In v6.4, if the above is configured, this may cause certificate requirements for any realm accessed via the default URL https://<FortiGate>/<realm>.

A new configuration option was introduced in 6.4 regarding unintended certificate requirements for any realm accessed via https://<FortiGate>/<realm>.

config vpn ssl web realm
edit <realm>
set virtual-host-only enable
next
[...]
end

This setting enforces access to the specified realms via the virtual host only (https://<FortiGate>/), and ensures the realm in question cannot be visited via the default URL (https://<FortiGate>/<realm>).

This needs to be set for all realms associated with certificate requirements, so that certificate checks are only done for specified virtual-host realms, and any other virtual-host realms (and non-virtual-host realms) do not trigger a certificate request.

Technical Tip: Combining remote user authentication and client certificates in SSL VPN

You are leaving our website