FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rleon
Staff
Staff
Description
This article shows how to configure administrator certificate based authentication on the FortiGate.

The following certificates are required to configure Admin certificate authentication:
- User certificate
- CA root, signed by the user certificate

Solution
To configure Admin certificate based authentication, follow the steps below:

On the FortiGate:

1) Enable the “Certificate Feature” if not enabled (Go to System -> Feature Select)

2) Import the CA certificate under external CA Certificates (Go to System -> Certificates -> Import -> CA Certificate).
Once imported, the certificate is shown as CA_Cert_1 (if a second CA certificate is imported then is shown as CA_Cert_2 etc.).


3) Create a PKI user:
#config user peer
edit pki-admin
set ca CA_Cert_1
end
4) Add the PKI user to a firewall group:
#config user group
edit PKI-group
set member pki-admin
end
5) Create an admin user, enable peer authentication, and select the created group:
#config system admin
edit admin-username
set peer-auth enable
set accprofile “super_admin”
set peer-group “PK_-group”
end
On the client PC:

1) Import the user certificate on the web browser, and verify that the certificate is in the "Personal Store".

Results:
When accessing the FortiGate web GUI, the browser will present the user to select the user certificate to authenticate:

login.PNG


Troubleshooting:

Debugging the “fnbamd” application on the FortiGate is observed that the certificate provided by the user is checked against the CA imported on the FortiGate:
FGT-5_4 # di de application fnbamd -1
FGT-5_4 # di de en
FGT-5_4 # [2197] handle_req-Rcvd auth_cert req id=1168321813
[1440] check_cert-Certificate chain depth 0, max chain depth 8
[1445] check_cert-Subject name 'C = US, ST = Florida, O = Fortinet, OU = Fortinet-TAC, CN = user, emailAddress = email@email.com'
[1446] check_cert-Issuer name 'C = US, ST = Florida, L = Sunrise, O = Fortinet, OU = Fortinet-TAC, CN = CA-root, emailAddress = email@email.com'
[1376] chain_verify-Trusted CA found: CA_Cert_1
[1922] fnbamd_auth_cert_start-Cert subject 'C = US, ST = Florida, O = Fortinet, OU = Fortinet-TAC, CN = user, emailAddress = email@email.com'
[1765] cert_check_group_list-checking group type 1 group name 'PKI-group'
[1658] check_add_peer-check peer user 'pki-admin' in group 'PKI-group', result is 0
[1783] cert_check_group_list-Matched group 'PKI-group'
[180] fnbamd_comm_send_result-Sending result 0 (error 0) for req 1168321813

FGT-5_4 # get system admin list
username   local    device                         vdom     profile      remote                 started    
admin      ssh      port9:10.10.10.20:22           root     super_admin  192.168.200.100:51326  2016-12-19 12:50:13
admin-username https    port9:10.10.10.20:443          root     super_admin  192.168.200.100:51740  2016-12-19 13:02:59

Contributors