Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Adrianoebm
New Contributor II

VPN Client to Site question.

Hello.

We had recently a security breach in our company (a user breach), the user shared his credentials to another user who access the LAN during vacation.

The user logged using a cached user then connect to the vpn using a friend credentials.

Is there a way to avoid this?

I mean forced a Forticlient login to a specific computer, if it doen´t match drop the connection.

In Windows i did that using Active Directory but it don´t apply the rule to the vpn.

Thank you.

2 Solutions
Adrianoebm
New Contributor II

Thanks for answering.

I found this tutorial using SSL certificates, it will help.

Our vpn client-to-site isn´t SSL but IPSEC.

I´m not the administrator of the Fortigate, he told me that was impossible to do it.

I did the same scheme i need using PfSense (I´m the admin) and it worked very well.

This is the tutorial, thank you.

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/751987/ssl-vpn-with-ldap-integrated-cert...

 

View solution in original post

seshuganesh
Staff
Staff

Hi Team,

 

You can use this article for the same:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-MAC-host-check-on-SSL-VPN/ta-p/194337

https://docs.fortinet.com/document/fortigate/7.2.0/administration-guide/32970/configuring-os-and-hos...

But it requires license

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/60d49634-161e-11ea-9384-005056...

For the latest versions

FortiClient 6.2.0, FortiClient EMS 6.2.0, and FortiOS 6.2.0 introduce a new licensing structure for managing
endpoints running FortiClient 6.2.0+. See Upgrading from previous FortiClient versions on page 7 for more
information on how the licensing changes upon upgrade to 6.2.0+. Fortinet no longer offers a free trial license
for ten connected FortiClient endpoints on any FortiGate model running FortiOS 6.2.0+. EMS 6.2.3 supports a
30-day trial license with ten FortiClient seats.

View solution in original post

5 REPLIES 5
pminarik
Staff
Staff

If the intended user was willing to give out their laptop and credentials (and any other relevant passwords), then there's very little you can do with this IT-wise.

2FA could be implemented, but what's stopping the user for giving their 2FA token to the other person as well? What you are dealing with is pretty much a perfect and thorough, and voluntary, identity theft, at least as far as logins are concerned.

 

Implementing biometrics into the login flow might be the solution for you. For example a biometric FIDO2 token. Fortinet does not currently offer any biometric tokens, so you would have to handle this through some third party. (and you would also first need to make sure that your new method is supported by FortiClient)

[ test signature, please ignore ]
Adrianoebm
New Contributor II

Thanks for answering.

I found this tutorial using SSL certificates, it will help.

Our vpn client-to-site isn´t SSL but IPSEC.

I´m not the administrator of the Fortigate, he told me that was impossible to do it.

I did the same scheme i need using PfSense (I´m the admin) and it worked very well.

This is the tutorial, thank you.

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/751987/ssl-vpn-with-ldap-integrated-cert...

 

pminarik

Perhaps the initial question needs to be re-phrased, because I understood it as the "other user" used the original user's computer as well. (potentially implied by "user logged using a cached user")

If this is correct, then client-certificates will not help as they will be in the original user's computer that is being handed out to the "other user".

 

If I misunderstood and the "other user" used a different/their own computer, then client certificates could work. This would have to be implemented as IKEv1 with certificate authentication + XAUTH. (IKEv2 cannot be configured to do both client-certificate and client-credentials verification)

Do note that this approach is usually for preventing non-company devices from connecting. Client-certificates and client-username&password are validated independently, so if the "other user" used their own company-issued computer with their own certificate, that would not stop them from using the original user's credentials for the XAUTH phase.

[ test signature, please ignore ]
Adrianoebm
New Contributor II

Hello there, let me explain it correctly.

User A was in Vacation, account has been blocked using active directory. 

User B shared their forticlient credentials by phone to user A who logged in Windows using a cached password then connect to the VPN using user B credentials.

My idea is to force them to only connect to the VPN using their own company devices.

I know how to do it in PfSense using (user Certificates / Auth) but in this Fortigate 100E i don´t, our VPN has been configured (not by me) as VPN-IPSEC instead of SSL-VPN, assuming SSL works i will must configure all from scratch.

Thank you.

 

seshuganesh
Staff
Staff

Hi Team,

 

You can use this article for the same:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-MAC-host-check-on-SSL-VPN/ta-p/194337

https://docs.fortinet.com/document/fortigate/7.2.0/administration-guide/32970/configuring-os-and-hos...

But it requires license

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/60d49634-161e-11ea-9384-005056...

For the latest versions

FortiClient 6.2.0, FortiClient EMS 6.2.0, and FortiOS 6.2.0 introduce a new licensing structure for managing
endpoints running FortiClient 6.2.0+. See Upgrading from previous FortiClient versions on page 7 for more
information on how the licensing changes upon upgrade to 6.2.0+. Fortinet no longer offers a free trial license
for ten connected FortiClient endpoints on any FortiGate model running FortiOS 6.2.0+. EMS 6.2.3 supports a
30-day trial license with ten FortiClient seats.