| Description | This article describes that the SSL VPN client certificate authentication prompt will appear for all the groups even if it is enabled for a single group. |
| Scope | FortiGate v6. x.x and v7. x.x. |
| Solution |
If the client certificate authentication is disabled in the SSL VPN at a global level but is enabled at the group level then all groups will get a certificate request prompt. Only the group(s) for which the client-cert option is enabled, needs to provide the certificate. All other groups can ignore the certificate request prompt.
Enabling group-level cert authentication will include an additional step for the client certificate request. This is an expected behavior.
Example:
User Test1 belongs to Group1. When it tries to log in to the SSL VPN from web/FortiClient, the client certificate request prompt will appear. This happens because the client-cert option is enabled for the Guest-group. To proceed, Test1 can cancel the prompt.
[10937:root:5]allocSSLConn:310 sconn 0x54a01c00 (0:root) [10937:root:5]SSL state:before SSL initialization (174.116.119.145) [10937:root:5]SSL state:fatal decode error (174.116.119.145) [10937:root:5]SSL state:error:(null)(174.116.119.145) [10937:root:5]SSL_accept failed, 1:unexpected eof while reading [10937:root:5]Destroy sconn 0x54a01c00, connSize=0. (root) [10938:root:5]allocSSLConn:310 sconn 0x54a01c00 (0:root) [10938:root:5]SSL state:before SSL initialization (174.116.119.145) [10938:root:5]SSL state:before SSL initialization (174.116.119.145) [10938:root:5]no SNI received [10938:root:0]sslvpn_test_auth_cert_rule:159 vd_src_intf_matched: 1, match_realm: 0, vhost-only: 0. [10938:root:5]client cert requirement: yes [10938:root:5]SSL state:SSLv3/TLS read client hello (174.116.119.145)
For a scenario with mixed authentication with and without certificate requirements, make sure to configure the realm. Refer to Technical Tip: Combining remote user authentication and client certificates in SSL VPN.
Note: |
