| Description | This article describes that the SSL VPN client certificate authentication prompt will appear for all the groups even if it is enabled for a single group. |
| FortiGate v6. x.x and v7. x.x. | |
| Solution |
If the client certificate authentication is disabled in the SSL VPN at a global level but is enabled at the group level then all groups will get a certificate request prompt. Only the group(s) for which the client-cert option is enabled, needs to provide the certificate. All other groups can ignore the certificate request prompt.
Enabling group-level cert authentication will include an additional step for the client certificate request. This is an expected behavior.
Example:
User Test1 belongs to Group1. When it tries to log in to the SSL VPN from web/FortiClient, the client certificate request prompt will appear. This happens because the client-cert option is enabled for the Guest-group. To proceed, Test1 can cancel the prompt.
[10937:root:5]allocSSLConn:310 sconn 0x54a01c00 (0:root) [10937:root:5]SSL state:before SSL initialization (174.116.119.145) [10937:root:5]SSL state:fatal decode error (174.116.119.145) [10937:root:5]SSL state:error:(null)(174.116.119.145) [10937:root:5]SSL_accept failed, 1:unexpected eof while reading [10937:root:5]Destroy sconn 0x54a01c00, connSize=0. (root) [10938:root:5]allocSSLConn:310 sconn 0x54a01c00 (0:root) [10938:root:5]SSL state:before SSL initialization (174.116.119.145) [10938:root:5]SSL state:before SSL initialization (174.116.119.145) [10938:root:5]no SNI received [10938:root:0]sslvpn_test_auth_cert_rule:159 vd_src_intf_matched: 1, match_realm: 0, vhost-only: 0. [10938:root:5]client cert requirement: yes [10938:root:5]SSL state:SSLv3/TLS read client hello (174.116.119.145)
For a scenario with mixed authentication with and without certificate requirements, make sure to configure the realm. Refer to Technical Tip: Combining remote user authentication and client certificates in SSL VPN. |
Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Spring Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiSRA
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiScan
- FortiSandbox
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiWAN
- FortiToken
- FortiVoice
- FortiWeb
- FortiAppSec Cloud
- RMA Information and Announcements
- Lacework
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Technical Tip: SSL VPN client certificate group le...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.