FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Mono_FTNT
Staff
Staff
Article Id 243806
Description

 

This article describes a supplementary explanation to prevent an unnecessary problem for configuring SSL VPN that requires users to authenticate using a certificate with LDAP UserPrincipalName checking.

 

Scope

 

FortiOS v6.4, v7.0, v7.2.

 

Solution

 

1) Do not configure 'client-certificate' and 'user-peer'.

 

As illustrated in FortiOS Administration Guide (VPN -> SSL VPN -> SSL VPN with LDAP-integrated certificate authentication -> Sample configuration -> To configure SSL VPN using the CLI: > 6. Configure SSL VPN settings), it is not necessary to configure the following (a) and (b).
If configuring it, this SSL VPN scenario does not work as expected.

 

# config vpn ssl settings
config authentication-rule
    edit 1
        set groups “xxx"
        set portal “xxx"
        set client-cert enable <- (a).
        set user-peer “xxx" <- (b).

    next
end
end

 

2) Disable 'Authentication' on FortiClient.

 

This is not stated in the FortiOS Administration Guide (VPN -> SSL VPN -> SSL VPN with LDAP-integrated certificate authentication -> Sample configuration -> To see the results of tunnel connection: > 3. Add a new connection), but as stated in FortiClient Administration Guide (Remote Access -> Configuring VPN connections -> Configuring an SSL VPN connection), it is necessary to disable 'Authentication' since account/password is not needed in this scenario.

 

Related documents:
https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/751987/ssl-vpn-with-ldap-int...

https://docs.fortinet.com/document/forticlient/7.0.7/administration-guide/205286/configuring-an-ssl-...