| Description |
This article describes how to configure SSL-VPN to work with computer and user certificate. |
| Scope | FortiGate. |
| Solution |
This guide provides configuration on SSL-VPN to match with user and computer certificate.
Refer to below cookbook for detail setup on 'SSLVPN with LDAP-intergrated certificate authentication'.
FortiGate LDAP matches certificate based on SAN and as per writing it only can support UPN name which works for user certificate as LDAP user attribute contain UPN.
LDAP computer attribute does not contain UPN, in order to get matched for both user and machine, it is necessary to use sAMAccountName as the matching attribute. It needs to be configured under '# config user ldap' refered to below example"
# config user ldad edit "ldap-AD" set server "172.18.60.206" set cnid "cn" set dn "dc=fortinet-fsso,dc=com" set type regular set username "cn=admin,ou=testing,dc=fortinet-fsso,dc=com" set password ldap-server-password set account-key-filter "(&(sAMAccountName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))" next end |
