FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how to use email-based MFA with certificate authentication for SSL VPN connection.
Scope
FortiGate.
Solution
Create a user with an email-based MFA:
config user local edit test set type password set two-factor email set email-to {user_email_address} set passwd {password} next end
Import the CA certificate that signed the certificate which will be used for the authentication: Go to System -> Certificates -> Import -> CA Certificate.
Define the certificate matching criteria:
config user peer edit "test_cert" set ca "CA_Cert_1" <-- It is possible to set up additional certificate matching criteria. end
Create a binding between the user and the certificate check:
config vpn ssl settings config authentication-rule edit 1 set users "test" set portal "full-access" set client-cert enable set user-peer "test_cert" end end
The firewall policy is set only with the user-defined in step 1.
config firewall policy edit 1 set srcintf "ssl.root" set dstintf "port1" set srcaddr "SSLVPN_pool" set dstaddr "example.com" set action accept set schedule "always" set service "ALL" set logtraffic all set users "test" set nat enable next end
