This article describes a supplementary explanation to prevent an unnecessary problem for configuring SSL VPN that requires users to authenticate using a certificate with LDAP UserPrincipalName checking.
FortiOS v6.4, v7.0, v7.2.
1) Do not configure 'client-certificate' and 'user-peer'.
As illustrated in FortiOS Administration Guide (VPN -> SSL VPN -> SSL VPN with LDAP-integrated certificate authentication -> Sample configuration -> To configure SSL VPN using the CLI: > 6. Configure SSL VPN settings), it is not necessary to configure the following (a) and (b).
If configuring it, this SSL VPN scenario does not work as expected.
# config vpn ssl settings
config authentication-rule
edit 1
set groups “xxx"
set portal “xxx"
set client-cert enable <- (a).
set user-peer “xxx" <- (b).
next
end
end
2) Disable 'Authentication' on FortiClient.
This is not stated in the FortiOS Administration Guide (VPN -> SSL VPN -> SSL VPN with LDAP-integrated certificate authentication -> Sample configuration -> To see the results of tunnel connection: > 3. Add a new connection), but as stated in FortiClient Administration Guide (Remote Access -> Configuring VPN connections -> Configuring an SSL VPN connection), it is necessary to disable 'Authentication' since account/password is not needed in this scenario.
Related documents:
https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/751987/ssl-vpn-with-ldap-int...
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.