Description
This article describes how to set up RADIUS authentication in addition to requiring client certificates for SSL VPN authentication.
Fortinet Documentation:
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/490351/ssl-vpn-authentication
Scope
FortiGate 6.2.2 and higher.
Solution
Combining RADIUS/LDAP authentication and requiring specific client certificates for SSL VPN is possible.
FortiGate cannot combine 'user peer' (required to specify what certificates match) and 'user LDAP/user RADIUS' and require login attempts to match both.
To achieve this, follow the steps below:
1) User peer for certificate matching.
# config user peer
edit "cert-user"
set ca "CA_1"
set subject "OU = your_org"
next
end
2) RADIUS (or LDAP) server.
# config user radius
edit "Radius"
set server "10.0.0.1"
set secret ENC XXXX
next
end
# config user ldap
edit “LDAP”
set server “10.0.0.2”
set dn “OU=your_org,DC=domain,DC=org”
set type regular
set user “CN=admin,OU=your_org,DC=domain,DC=org”
set password ENC XXX
next
end
3) User group.
# config user group
edit "radius-group"
set member "Radius"
config match
edit 1
set server-name "Radius"
set group-name "VPN-test"
end
next
edit “ldap-group”
set member “LDAP”
next
[...]
end
4) VPN SSL settings.
# config vpn ssl setting
set reqclientcert enable
set user-peer "cert-user"
set servercert "vpn-server-cert"
set tunnel-ip-pools "tunnel-ip-pool"
set port 443
set source-interface "wan1"
set source-address all
set default-portal "tunnel-access"
# config authentication-rule
edit 1
set group "test-group"
set client-cert enable
set user-peer "cert-user"
next
edit 2
[...]
end
end
Advanced Setup: Mixing authentication with and without certificate requirements
Allowing both authentication with and without user certificates in the same general SSLVPN setup becomes a bit more complicated due the order FortiGate applies to check certificates and match against realms.
This requires at least two SSLVPN realms and a DNS record for each realm, all resolving to the SSLVPN interface IP.
-Two DNS records, cert.domain.org and nocert.domain.org resolving to FortiGate VPN interface IP (such as wan1 IP)
-Two VPN realms matching the DNS records
# conf vpn ssl web realm
edit realm-1
set virtual-host “cert.domain.org”
next
edit realm-2
set virtual-host “nocert.domain.org”
next
[...]
end
- FortiGate server cert must be wildcard (*.domain.com) or include the two DNS records above as Subject Alternative Name entries.
- Each realm needs to match an authentication rule:
# config vpn ssl setting
config authentication rule
edit 1
set realm realm-1
next
edit 2
set realm realm-2
next
[...]
end
end
- The Server Name Indication (SNI) attributes in TLS handshake will allow the FortiGate to match the correct authentication rule at the beginning and require certificates accordingly.
Careful:
- In 6.2, If the above is not configured, FortiGate may fall-through to authentication rules that do not require client certificates.
- In 6.4, if the above is configured, this may cause certificate requirements for any realm accessed via default URL https://<FortiGate>/<realm>
A new configuration option was introduced in 6.4 regarding unintended certificate requirements for any realm accessed via https://<FortiGate>/<realm>
# config vpn ssl web realm
edit <realm>
set virtual-host-only enable
next
[...]
end
This setting enforces access to the specified realms via the virtual host only (https://<realm>.<FortiGate>), and ensures the realm in question cannot be visited via the default URL (https://<FortiGate>/<realm>).
This needs to be set for all realms associated with certificate requirements, so that certificate checks are only done for specified virtual-host realms, and any other virtual-host realms (and non-virtual-host realms) do not trigger a certificate request.
