Hi everyone !
I need your help. I'm a bit confuse how to correctly configure FortiAuthenticator to validate SSL VPN Connections with machine (computers) SSL Certifacte.
I tried a lot of options but nothing work, so I'm sure someone can help me :)
The workflow is this one :
- Computer is AD join with a valid CA certificate, for example : pc1.mydomain.local
- ForitAuth is correctly configured and I can sync my computer.
- I configured RADIUS with "Windows AD computer authentication"
Now, what are the correct options to tell FortiGate to user computer certificate to validate the connection (if it's possible) ?
Thanks
Solved! Go to Solution.
Do you expect to be prompted for a certificate in that case?
If not, you may have misconfigured the groups/mappings in SSL-VPN settings.
If yes, then perhaps the certificate verification is failing. You could try running fnbamd debug to find out what the result of the validation is:
diag debug reset
diag debug console timestamp enable
diag debug app fnbamd -1
diag debug enable
→ try to connect now
diag debug disable
The fnbamd process may be doing other checks in the meantime, so it if starts showing more outputs, don't be scared. :)
There is also a chance that you might not have access to the private key, if this is a machine certificate, as you suggested in your initial post. Make sure you do have this sorted out. (KB on how to do this in Windows natively)
I'm sure it's possible to "login" with a computer certificate to FortiGate SSL VPN but how can I do that with FortiAuthenticator ?
I can't find any documentation about how to configure the devices to do that
I followd this config : https://docs.fortinet.com/document/fortiauthenticator/6.4.0/cookbook/3965/computer-authentication-us...
But should I used it for SSL VPN ?
When authenticating to SSL-VPN with a certificate, the certificate validation is always done by the FortiGate itself. It is never delegated to any other device (not even the FortiAuthenticator).
EAP-TLS (wifi WPA-Enterprise, switch dot1x, or IKEv2-EAP) would be a very specific exception, but it is not relevant here, since SSL-VPN does not support EAP.
So you should be able to make this work with "the usual" setup. The basic barebones configuration would consist of:
1, Import the CA chain which issues the machine certificates in your domain (presumably the Enterprise PKI root CA cert): System > Certificates > Import > CA
2, Create a "peer user" to match this CA:
config user peer
edit "my_domain_peers"
set ca "<the CA you imported in step 1>"
# set subject "some specific subject" # these two lines are optional, to further restrict which certificates can match this peer object
# set CN "some specific CN"
next
end
3, Place the peer in a user group:
config user group
edit "my_certificate_group"
set member "my_domain_peers"
next
end
4, You can now use this "user group" in your VPN portal mappings and firewall policies for SSL-VPN.
The result should be that clients authenticating purely with the matching certificate will be allowed to connect.
As a side-note: Be aware that regular users by default do not have access to the key of a machine certificate, which will prevent them from using it to authenticate to SSL-VPN.
You can work around this by giving regular users the permission to read the machine cert's private key in the OS itself, or you can use FortiClient's XML option `<allow_standard_user_use_system_cert>` (doc reference)
addendum: While the above is my "retelling of the story", there is also an official document on how to set up the same baseline configuration, available here . (my only comment to that would be that the lines `set two-factor enable` and `set password ...` are optional)
Hello,
Ok it's what I have done on my FortiGate. Just one question can I use two different server certifiate ?
What I wanted is to use a "public" certificate for my user (without client certificate) and a domain certificate for my computers (with client certificate)
Hi,
The FortiGate itself can only use one certificate to identify itself as the VPN server. This is the "Server Certificate" selected in the general "SSL-VPN Settings" section.
The connecting clients can use certificates issued by different CAs with no issue. You simply need to re-do the same steps (import the second CA, create peer-object for it, add it to a new group or to the same group) for each new CA/peer.
If you're planning to let some users connect without a certificate (this is how I understood your reply), be aware that if using the browser to connect to the web-mode SSL-VPN, you may be prompted by the browser to select a certificate for authentication. If you are planning to authenticate as the user permitted to log in without a certificate, you should be able to simply ignore this prompt and then proceed to successfully authenticate with just username+password.
Ok so according to the documentation and your return, I must set option
set reqclientcert enable
This information is missign in Forit doc... And in authentication-rule, should I set
config authentication-rule
edit 2
set groups "TEST"
set portal "WEB"
set client-cert enable
next
end
With these otions my FortiClient prompt a warning message and tells me that the server require a certificate (and my certificate is selected).... I don't understand where is the error.
Thanks
This is not necessarily correct. Let me clarify:
`set reqclientcert enable`: This enforces a requirement for all clients (no exceptions!) to present a trusted certificate when connecting to SSL-VPN. You do not need to enable this.
`set client-cert enable`: This is similar as the option above, but the requirement is narrowed down to the group specified in the portal mapping rule. If a user is matched to this group during authentication, and if they did not provide a valid certificate, they will be rejected.
This can be further improved by specifying `set user-peer <peer-object>` to declare that "this group must provide a certificate that matches this specific peer".
If you specify the setup as I have outlined - using the group with a peer-member in the portal mapping directly (`set groups "my_certificate_group"`, referring back to the example object I described in my first reply) - then in this case you do not need to enable any option to require a certificate (requclientcert, or client-cert). The mechanism is triggered automatically, and incoming connections will be asked for a certificate.
You can have a mixture of "certificate only", "certificate + username+password", and "username+password-only" working at the same time, the only trick is setting the configuration correctly to align with the desired flow.
Ok thanks ! I understand. The last problem I have is with my certificate. My Forticlient prompt a warning message and tells me that the server require a certificate (and my certificate is correct).
Do you expect to be prompted for a certificate in that case?
If not, you may have misconfigured the groups/mappings in SSL-VPN settings.
If yes, then perhaps the certificate verification is failing. You could try running fnbamd debug to find out what the result of the validation is:
diag debug reset
diag debug console timestamp enable
diag debug app fnbamd -1
diag debug enable
→ try to connect now
diag debug disable
The fnbamd process may be doing other checks in the meantime, so it if starts showing more outputs, don't be scared. :)
There is also a chance that you might not have access to the private key, if this is a machine certificate, as you suggested in your initial post. Make sure you do have this sorted out. (KB on how to do this in Windows natively)
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.