Hi guys, i´m trying to build a VPN with a certificate authentification(warning im a newbie on Fortigate). This is alredy established and works, but the connecting process the user dosent have to type a password or username in. So how can i get a authentification requierement for certificate user. For example: User have certificate -> connect -> Type Password & Username in (this dosent come???) -> connection established The connection is via Linux network-manager-strongswan Fortigate Version is 5.6.3 (Fortigate100d) The next Question is i have a limit of 10 parallel VPN Users on the Fortigate, how can i increase it? Thanks for your help. :) PS: Sry for the bad english.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello @GigaX ,
In FortiGate, you can set up a two-factor authentication (2FA) method that requires both a certificate and a username/password. Navigate to the VPN settings and under Phase 1 settings of your VPN tunnel. Change the authentication method to signature. Under the authentication settings, specify the user group that will be allowed to connect. This user group should be tied to your LDAP or local user database. Save your settings and try connecting. You should now be prompted for a username and password.
This is not possible with IKEv2.
One side (the client) can authenticate using only one of these three methods (using more than one is not possible):
Within EAP, there's various EAP methods, but none supports combined certificate + password authentication of the client:
For the sake of completeness, there's a relatively recent EAP-TEAP, which allows chaining of multiple other EAP methods. This in theory could support a combination like EAP-TLS + EAP-MSCHAPv2, thus authenticating both the user's certificate and their username+password, but as far as I am aware, support seems to be limited. FortiGate itself certainly doesn't support it (when in an EAP proxy scenario), but maybe you'll be lucky and your choice of VPN client + RADIUS server will support it. (if EAP is handled by the RADIUS server, the FortiGate has no influence over the EAP method)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1709 | |
1093 | |
752 | |
446 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.