- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Authenticate COMPUTER certificate
Hi All,
I have done configuration with user certificates according to this article Cookbook | FortiGate / FortiOS 6.2.9 | Fortinet Documentation Library
and it's working.
Now I want to do it with computer only certificate, but it won't work.
I done configuration similar as for user only diffrence that use computer certificate and distinguishedName as common name identifier.
And it won't connect
Is it possible at all?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I highly doubt you can get that to work and in a multi-user environment, I would use "users" certificates fwiw
Machine certificate are not what you want if you need security from a user perspective.
Ken Felix
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ken,
Thank You for your answer.
I know this should not be final configuration, that why I have running vpn with user certificates.
I need computer certificates for emergency vpn connection, when user certificate expire.
Some of my users don't work with vpn to much and certificates expiring for them.
Since yesterday I was able to configure that forti finds the computer in ad and the group assigned to it based on the generated certificate, but unfortunately now forti cannot compare whether the found group in ad is the one I indicated in the configuration. I don't know why this is because the groups are the same and the computer belongs to this group.
Tom
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Interesting but I never heard of it used an emergency tho. Have you read this KB? This speaks purely about how you have to give the forticlient user read access to the computer certificate which is a challenge.
https://kb.fortinet.com/kb/documentLink.do?externalID=FD47826
That might get you farther and might get your VPN up.
Ken Felix
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Emergency means that normally in assigned group will be no computer.
It will be added there when user certificate expires to renew it.
Anyway I changed configuration according to this article on beginning of my configuration.
I'm looking to my log and I don't know why fortigate won't match group to Portal Mapping groups.
With users everything working fine. VPN connects only with certificate no need users credentials (login/password)