FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
simonz_FTNT
Staff
Staff
Article Id 213391
Description

This article describes how to configure SSL VPN to work with a computer and user certificate.

Scope FortiGate.
Solution

This guide provides configuration on SSL VPN to match with the user and computer certificate.

 

Refer to the below cookbook for a detailed setup on SSL VPN with LDAP-integrated certificate authentication.

 

FortiGate LDAP matches certificate based on SAN and as per writing it only can support the UPN name which works for the user certificate as the LDAP user attribute contain UPN.

 

simonz_FTNT_0-1653892511902.png

 

LDAP computer attribute does not contain UPN, in order to get matched for both user and machine, it is necessary to use sAMAccountName as the matching attribute.

It needs to be configured under 'config user ldap' referred to in the below example:

 

config user ldap

    edit "ldap-AD"

        set server "172.18.60.206"

        set cnid "cn"

        set dn "dc=fortinet-fsso,dc=com"

        set type regular

        set username "cn=admin,ou=testing,dc=fortinet-fsso,dc=com"

        set password ldap-server-password

        set account-key-filter "(&(sAMAccountName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"

    next

end