Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Mono_FTNT
Staff
Staff

Created on ‎01-25-2023 04:47 AM Edited on ‎05-05-2025 06:31 AM By Moderator

Article Id 243806

Technical Tip: Supplementary explanation for 'SSL VPN with LDAP-integrated certificate authentication' on FortiOS Administration Guide

Description

 

This article describes a supplementary explanation to prevent an unnecessary problem for configuring SSL VPN that requires users to authenticate using a certificate with LDAP UserPrincipalName checking.

 

Scope

 

FortiOS v6.4, v7.0, v7.2, v7.4.

 

Solution

 

  1. Certain options control the certificate enforcement of the authentication.

 

config vpn ssl settings
    config authentication-rule
        edit 1
            set groups "<entry of 'config user group'>"
            set portal "<entry of 'config vpn ssl web portal'>"
            set client-cert enable
            set user-peer "<entry of 'config user peer'>"

 

Or:


            set auth peer

        next
    end
end

 

The FortiGate default behavior for FortiGate is that if the certificate is seen as invalid, FortiGate will continue with user authentication and group matching. The debug log entry for that case is, for example:


certificate check failed. Recheck without peer user matching.


Note:

  • The setting 'user-peer' will enforce the certificate verification to work and not skip to LDAP credential verification.
  • The 'auth' setting acts as a filter. Only authentication from this source will be accepted. 'Peer' would only allow any authentication related to the peer.
    If the group is of mixed peer and remote source (config match against a remote server), the authentication will not succeed. Debug will not show the effects of the 'auth' setting.

 

  1. Disable 'Authentication' on FortiClient.

This is not stated in the FortiOS Administration Guide (VPN -> SSL VPN -> SSL VPN with LDAP-integrated certificate authentication -> Sample configuration -> To see the results of tunnel connection:3. Add a new connection), but as stated in FortiClient Administration Guide (Remote Access -> Configuring VPN connections -> Configuring an SSL VPN connection), it is necessary to disable 'Authentication' since account/password is not needed in this scenario. Using the 'set auth peer' setting as stated previously, will eliminate reaction to the credentials, even the user entered them.

 

Debugging is best done with this set:

 

diagnose debug console timestamp enable
diagnose debug app fnbamd -1
diagnose debug app sslvpnd -1
diagnose debug enable

fnbamd handles the certificate verification, sslvpnd the request towards fnbamd, and processes the result from it.

 

Related documents:
SSL VPN with LDAP-integrated certificate authentication

Configuring an SSL VPN connection
Alternatives to UserPrincipalName in the certificate (v7.2 and later) 

769
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.