Description
This article describes how to configure SSL VPN with a computer certificate. Computer certificate is generated from Windows Certificate Authority and installed via the Windows Group Policy.
Scope
FortiGate.
Solution
- Configure Windows Server with Windows Certificate Authority.
- Configure Windows AD Group Policy to enable Certificate Auto-Enrollment.
- Verify Computer Object Group membership and Attribute.
- Verify computer certificate is installed on the PC.
- Upload the CA Certificate on the FortiGate.
- Configure SSLVPN on the FortiGate.
LDAP Configuration:
config user ldap
edit "LDAP_AD"
set server "10.218.0.11"
set cnid "cn"
set dn "dc=nat,dc=local"
set type regular
set username "nathan"
set password <password>
set secure ldaps
set port 636
set account-key-upn-san dnsname
set account-key-filter "(&(dNSHostName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"
next
end
SSL VPN Configuration:
config user peer
edit "Peer_PKI"
set ca "CA_Cert_1"
set ldap-server "LDAP_AD"
set ldap-mode principal-name
next
end
config user group
edit "Allowed_Computers"
set member "LDAP_AD" "Peer_PKI"
config match
edit 1
set server-name "LDAP_AD"
set group-name "CN=Computer Group,CN=Users,DC=nat,DC=local"
next
end
config vpn ssl settings
set servercert "sslvpn.nat.local"
set source-interface "port1"
set source-address "all"
set source-address6 "all"
set default-portal "web-access"
config authentication-rule
edit 1
set groups "Allowed_Computers"
set portal "full-access"
set client-cert enable
next
end
end
config firewall policy
edit 3
set name "SSLVPN"
set srcintf "ssl.root"
set dstintf "port2"
set action accept
set srcaddr "all"
set dstaddr "10.218.0.0_24"
set schedule "always"
set service "ALL"
set groups "Allowed_Computers"
next
end
- Login on FortiClient and select the correct certificate:
Debugs:
diag debug app fnbamd -1
diag debug app sslvpn -1
diag debug enable
2023-09-15 14:56:39 [675] fnbamd_cert_check_group_list-checking group with name 'Allowed_Computers'
2023-09-15 14:56:39 [490] __check_add_peer-check 'LDAP_AD'
2023-09-15 14:56:39 [492] __check_add_peer-'LDAP_AD' is not a peer user.
2023-09-15 14:56:39 [490] __check_add_peer-check 'Peer_PKI'
2023-09-15 14:56:39 [366] peer_subject_cn_check-Cert subject 'CN = Nathan-PC.nat.local'
2023-09-15 14:56:39 [77] fnbamd_peer_ldap_push-Check LDAP setting of peer user 'Peer_PKI'
2023-09-15 14:56:39 [237] fnbamd_peer_remote_server_push-Adding 1 matching rules to 'LDAP_AD'
2023-09-15 14:56:39 [497] __check_add_peer-'Peer_PKI' check ret:pending
2023-09-15 14:56:39 [709] fnbamd_cert_check_group_list-LDAP servers
2023-09-15 14:56:39 [712] fnbamd_cert_check_group_list- 'LDAP_AD', (Principle-Name), ref=2
2023-09-15 14:56:39 [191] __get_default_ocsp_ctx-def_ocsp_ctx=(nil), no_ocsp_query=0, ocsp_enabled=0
2023-09-15 14:56:39 [738] fnbamd_cert_check_group_list-Peer users
2023-09-15 14:56:39 [741] fnbamd_cert_check_group_list- 'Peer_PKI' ('LDAP_AD','N/A')
2023-09-15 14:56:39 [874] __cert_verify_do_next-req_id=1060112749
2023-09-15 14:56:39 [99] __cert_chg_st- 'Validation' -> 'Status-Query'
2023-09-15 14:56:39 [622] __cert_status_query-req_id=1060112749
2023-09-15 14:56:39 [419] __cert_ldap_query-req_id=1060112749
2023-09-15 14:56:39 [426] __cert_ldap_query-LDAP query, idx 0
2023-09-15 14:56:39 [448] __cert_ldap_query-UPN = 'Nathan-PC.nat.local'
2023-09-15 14:56:39 [1718] fnbamd_ldap_init-search filter is: (&(dNSHostName=Nathan-PC.nat.local)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
2023-09-15 14:56:39 [1728] fnbamd_ldap_init-search base is: dc=nat,dc=local
.....
2023-09-15 14:56:39 [1108] __ldap_connect-tcps_connect(10.218.0.11) is established.
2023-09-15 14:56:39 [986] __ldap_rxtx-state 3(Admin Binding)
2023-09-15 14:56:39 [363] __ldap_build_bind_req-Binding to 'nathan'
2023-09-15 14:56:39 [1083] fnbamd_ldap_send-sending 28 bytes to 10.218.0.11
2023-09-15 14:56:39 [1096] fnbamd_ldap_send-Request is sent. ID 1
2023-09-15 14:56:39 [986] __ldap_rxtx-state 4(Admin Bind resp)
2023-09-15 14:56:39 [1127] __fnbamd_ldap_read-Read 8
2023-09-15 14:56:39 [1233] fnbamd_ldap_recv-Leftover 2
2023-09-15 14:56:39 [1127] __fnbamd_ldap_read-Read 14
2023-09-15 14:56:39 [1306] fnbamd_ldap_recv-Response len: 16, svr: 10.218.0.11
2023-09-15 14:56:39 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:1, type:bind
2023-09-15 14:56:39 [1023] fnbamd_ldap_parse_response-ret=0
2023-09-15 14:56:39 [1053] __ldap_rxtx-Change state to 'DN search'
2023-09-15 14:56:39 [986] __ldap_rxtx-state 11(DN search)
2023-09-15 14:56:39 [750] fnbamd_ldap_build_dn_search_req-base:'dc=nat,dc=local' filter:(&(dNSHostName=Nathan-PC.nat.local)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
2023-09-15 14:56:39 [1083] fnbamd_ldap_send-sending 137 bytes to 10.218.0.11
2023-09-15 14:56:39 [1096] fnbamd_ldap_send-Request is sent. ID 2
2023-09-15 14:56:39 [986] __ldap_rxtx-state 12(DN search resp)
2023-09-15 14:56:39 [1127] __fnbamd_ldap_read-Read 8
2023-09-15 14:56:39 [1233] fnbamd_ldap_recv-Leftover 2
2023-09-15 14:56:39 [1127] __fnbamd_ldap_read-Read 56
2023-09-15 14:56:39 [1306] fnbamd_ldap_recv-Response len: 58, svr: 10.218.0.11
2023-09-15 14:56:39 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-entry
2023-09-15 14:56:39 [1023] fnbamd_ldap_parse_response-ret=0
2023-09-15 14:56:39 [1226] __fnbamd_ldap_dn_entry-Get DN 'CN=NATHAN-PC,CN=Computers,DC=nat,DC=local'
.....
2023-09-15 14:56:39 [649] fnbamd_ldap_build_attr_search_req-Adding attr 'memberOf'
2023-09-15 14:56:39 [661] fnbamd_ldap_build_attr_search_req-base:'CN=NATHAN-PC,CN=Computers,DC=nat,DC=local' filter:cn=*
2023-09-15 14:56:39 [1083] fnbamd_ldap_send-sending 117 bytes to 10.218.0.11
2023-09-15 14:56:39 [1096] fnbamd_ldap_send-Request is sent. ID 3
2023-09-15 14:56:39 [986] __ldap_rxtx-state 8(Attr query resp)
2023-09-15 14:56:39 [1127] __fnbamd_ldap_read-Read 8
2023-09-15 14:56:39 [1233] fnbamd_ldap_recv-Leftover 2
2023-09-15 14:56:39 [1127] __fnbamd_ldap_read-Read 208
2023-09-15 14:56:39 [1306] fnbamd_ldap_recv-Response len: 210, svr: 10.218.0.11
2023-09-15 14:56:39 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:3, type:search-entry
2023-09-15 14:56:39 [1023] fnbamd_ldap_parse_response-ret=0
2023-09-15 14:56:39 [556] __get_member_of_groups-Get the memberOf groups.
2023-09-15 14:56:39 [522] __retrieve_group_values-Get the memberOf groups.
2023-09-15 14:56:39 [532] __retrieve_group_values- attr='memberOf', found 1 values
2023-09-15 14:56:39 [542] __retrieve_group_values-val[0]='CN=Computer Group,CN=Users,DC=nat,DC=local'
2023-09-15 14:56:39 [1127] __fnbamd_ldap_read-Read 8
2023-09-15 14:56:39 [1233] fnbamd_ldap_recv-Leftover 2
2023-09-15 14:56:39 [1127] __fnbamd_ldap_read-Read 14
2023-09-15 14:56:39 [1306] fnbamd_ldap_recv-Response len: 16, svr: 10.218.0.11
2023-09-15 14:56:39 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:3, type:search-result
2023-09-15 14:56:39 [1023] fnbamd_ldap_parse_response-ret=0
2023-09-15 14:56:39 [1306] __fnbamd_ldap_attr_next-Entering CHKPRIMARYGRP state
2023-09-15 14:56:39 [1053] __ldap_rxtx-Change state to 'Primary group query'
2023-09-15 14:56:39 [986] __ldap_rxtx-state 13(Primary group query)
2023-09-15 14:56:39 [685] fnbamd_ldap_build_primary_grp_search_req-starting primary group check...
2023-09-15 14:56:39 [689] fnbamd_ldap_build_primary_grp_search_req-number of sub auths 5
2023-09-15 14:56:39 [707] fnbamd_ldap_build_primary_grp_search_req-base:'dc=nat,dc=local' filter:(&(objectclass=group)(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\cc\a1\78\fc\09\c3\f7\8
1\c5\e3\dd\95\03\02\00\00))
.....
2023-09-15 14:56:39 [377] __cert_ldap_query_cb-LDAP ret=0, server='LDAP_AD', req_id=1060112749
2023-09-15 14:56:39 [388] __cert_ldap_query_cb-Matched peer 'Peer_PKI'
2023-09-15 14:56:39 [755] __ldap_destroy-
2023-09-15 14:56:39 [271] __cert_resume-req_id=1060112749
2023-09-15 14:56:39 [99] __cert_chg_st- 'Status-Query' -> 'Done'
2023-09-15 14:56:39 [919] __cert_done-req_id=1060112749
2023-09-15 14:56:39 [1651] fnbamd_auth_session_done-Session done, id=1060112749
2023-09-15 14:56:39 [964] __fnbamd_cert_auth_run-Exit, req_id=1060112749
2023-09-15 14:56:39 [1642] __auth_cert_session_done-id=1060112749
2023-09-15 14:56:39 [1607] auth_cert_success-id=1060112749
2023-09-15 14:56:39 [1066] fnbamd_cert_auth_copy_cert_status-req_id=1060112749
2023-09-15 14:56:39 [1074] fnbamd_cert_auth_copy_cert_status-Matched peer user 'Peer_PKI'
2023-09-15 14:56:39 [833] fnbamd_cert_check_matched_groups-checking group with name 'Allowed_Computers'
2023-09-15 14:56:39 [121] fnbamd_ldap_dn_match-DN 'CN=Computer Group,CN=Users,DC=nat,DC=local' is matched with 'CN=Computer Group,CN=Users,DC=nat,DC=local', idx=0.
2023-09-15 14:56:39 [895] fnbamd_cert_check_matched_groups-matched
2023-09-15 14:56:39 [1105] fnbamd_cert_auth_copy_cert_status-Leaf cert status is unchecked.
2023-09-15 14:56:39 [1193] fnbamd_cert_auth_copy_cert_status-Cert st 2c0, req_id=1060112749
2023-09-15 14:56:39 [209] fnbamd_comm_send_result-Sending result 0 (nid 672) for req 1060112749, len=2555
2023-09-15 14:56:39 [1552] destroy_auth_cert_session-id=1060112749
2023-09-15 14:56:39 [1039] fnbamd_cert_auth_uninit-req_id=1060112749
2023-09-15 14:56:39 [755] __ldap_destroy-
2023-09-15 14:56:39 [695:root:16]2023-09-15 14:56:39 [131] fnbamd_peer_ctx_free-Freeing peer ctx 'Peer_PKI'
[fam_cert_proc_resp:1959] Authenticated groups (1) by FNBAM with auth_type (0):
2023-09-15 14:56:39 [1764] fnbamd_ldap_auth_ctx_free-Freeing 'LDAP_AD' ctx
2023-09-15 14:56:39 [695:root:16]fam_cert_proc_resp:1977 found node Allowed_Computers:0:, valid:1, auth:0
2023-09-15 14:56:39 [695:root:16]auth_rsp_data.matched_cert_grps[0] = Allowed_Computers
2023-09-15 14:56:39 [695:root:16]fam_cert_proc_resp:2008 match rule (1), user (Peer_PKI:Allowed_Computers) portal (full-access).
2023-09-15 14:56:39 [695:root:16]peer user 'Peer_PKI' uses LDAP server 'LDAP_AD' for 2FA.
.....
