- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FortiAuthenticator SSL Certificate and VPN Machine
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiAuthenticator SSL Certificate and VPN Machine
Hi everyone !
I need your help. I'm a bit confuse how to correctly configure FortiAuthenticator to validate SSL VPN Connections with machine (computers) SSL Certifacte.
I tried a lot of options but nothing work, so I'm sure someone can help me :)
The workflow is this one :
- Computer is AD join with a valid CA certificate, for example : pc1.mydomain.local
- ForitAuth is correctly configured and I can sync my computer.
- I configured RADIUS with "Windows AD computer authentication"
Now, what are the correct options to tell FortiGate to user computer certificate to validate the connection (if it's possible) ?
Thanks
Solved! Go to Solution.
Labels:
- Labels:
-
FortiAuthenticator v5.5
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you expect to be prompted for a certificate in that case?
If not, you may have misconfigured the groups/mappings in SSL-VPN settings.
If yes, then perhaps the certificate verification is failing. You could try running fnbamd debug to find out what the result of the validation is:
diag debug reset
diag debug console timestamp enable
diag debug app fnbamd -1
diag debug enable
→ try to connect now
diag debug disable
The fnbamd process may be doing other checks in the meantime, so it if starts showing more outputs, don't be scared. :)
There is also a chance that you might not have access to the private key, if this is a machine certificate, as you suggested in your initial post. Make sure you do have this sorted out. (KB on how to do this in Windows natively)
[ corrections always welcome ]
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm sure it's possible to "login" with a computer certificate to FortiGate SSL VPN but how can I do that with FortiAuthenticator ?
I can't find any documentation about how to configure the devices to do that
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I followd this config : https://docs.fortinet.com/document/fortiauthenticator/6.4.0/cookbook/3965/computer-authentication-us...
But should I used it for SSL VPN ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When authenticating to SSL-VPN with a certificate, the certificate validation is always done by the FortiGate itself. It is never delegated to any other device (not even the FortiAuthenticator).
EAP-TLS (wifi WPA-Enterprise, switch dot1x, or IKEv2-EAP) would be a very specific exception, but it is not relevant here, since SSL-VPN does not support EAP.
So you should be able to make this work with "the usual" setup. The basic barebones configuration would consist of:
1, Import the CA chain which issues the machine certificates in your domain (presumably the Enterprise PKI root CA cert): System > Certificates > Import > CA
2, Create a "peer user" to match this CA:
config user peer
edit "my_domain_peers"
set ca "<the CA you imported in step 1>"
# set subject "some specific subject" # these two lines are optional, to further restrict which certificates can match this peer object
# set CN "some specific CN"
next
end
3, Place the peer in a user group:
config user group
edit "my_certificate_group"
set member "my_domain_peers"
next
end
4, You can now use this "user group" in your VPN portal mappings and firewall policies for SSL-VPN.
The result should be that clients authenticating purely with the matching certificate will be allowed to connect.
As a side-note: Be aware that regular users by default do not have access to the key of a machine certificate, which will prevent them from using it to authenticate to SSL-VPN.
You can work around this by giving regular users the permission to read the machine cert's private key in the OS itself, or you can use FortiClient's XML option `<allow_standard_user_use_system_cert>` (doc reference)
addendum: While the above is my "retelling of the story", there is also an official document on how to set up the same baseline configuration, available here . (my only comment to that would be that the lines `set two-factor enable` and `set password ...` are optional)
[ corrections always welcome ]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Ok it's what I have done on my FortiGate. Just one question can I use two different server certifiate ?
What I wanted is to use a "public" certificate for my user (without client certificate) and a domain certificate for my computers (with client certificate)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The FortiGate itself can only use one certificate to identify itself as the VPN server. This is the "Server Certificate" selected in the general "SSL-VPN Settings" section.
The connecting clients can use certificates issued by different CAs with no issue. You simply need to re-do the same steps (import the second CA, create peer-object for it, add it to a new group or to the same group) for each new CA/peer.
If you're planning to let some users connect without a certificate (this is how I understood your reply), be aware that if using the browser to connect to the web-mode SSL-VPN, you may be prompted by the browser to select a certificate for authentication. If you are planning to authenticate as the user permitted to log in without a certificate, you should be able to simply ignore this prompt and then proceed to successfully authenticate with just username+password.
[ corrections always welcome ]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok so according to the documentation and your return, I must set option
set reqclientcert enable
This information is missign in Forit doc... And in authentication-rule, should I set
config authentication-rule
edit 2
set groups "TEST"
set portal "WEB"
set client-cert enable
next
end
With these otions my FortiClient prompt a warning message and tells me that the server require a certificate (and my certificate is selected).... I don't understand where is the error.
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is not necessarily correct. Let me clarify:
`set reqclientcert enable`: This enforces a requirement for all clients (no exceptions!) to present a trusted certificate when connecting to SSL-VPN. You do not need to enable this.
`set client-cert enable`: This is similar as the option above, but the requirement is narrowed down to the group specified in the portal mapping rule. If a user is matched to this group during authentication, and if they did not provide a valid certificate, they will be rejected.
This can be further improved by specifying `set user-peer <peer-object>` to declare that "this group must provide a certificate that matches this specific peer".
If you specify the setup as I have outlined - using the group with a peer-member in the portal mapping directly (`set groups "my_certificate_group"`, referring back to the example object I described in my first reply) - then in this case you do not need to enable any option to require a certificate (requclientcert, or client-cert). The mechanism is triggered automatically, and incoming connections will be asked for a certificate.
You can have a mixture of "certificate only", "certificate + username+password", and "username+password-only" working at the same time, the only trick is setting the configuration correctly to align with the desired flow.
[ corrections always welcome ]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok thanks ! I understand. The last problem I have is with my certificate. My Forticlient prompt a warning message and tells me that the server require a certificate (and my certificate is correct).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you expect to be prompted for a certificate in that case?
If not, you may have misconfigured the groups/mappings in SSL-VPN settings.
If yes, then perhaps the certificate verification is failing. You could try running fnbamd debug to find out what the result of the validation is:
diag debug reset
diag debug console timestamp enable
diag debug app fnbamd -1
diag debug enable
→ try to connect now
diag debug disable
The fnbamd process may be doing other checks in the meantime, so it if starts showing more outputs, don't be scared. :)
There is also a chance that you might not have access to the private key, if this is a machine certificate, as you suggested in your initial post. Make sure you do have this sorted out. (KB on how to do this in Windows natively)
[ corrections always welcome ]
Related Posts
Labels
-
FortiGate
6,489 -
FortiClient
1,294 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiSwitch
331 -
FortiAP
331 -
FortiClient EMS
260 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
57 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
18 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
FortiAuthenticator
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSID
6 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
NAC policy
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.