Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortiDave
New Contributor III

Certificate based auth for Forticlient IOS and Android

Hi guys,

 

Im looking to implement certificate based auth for Forticlient IOS and Android. 

 

Am I correct in understanding from the below KB article, for SSL VPN auth, two certificates are required i.e. server cert and CA cert?

 

And if so, can I leverage the factory default certificates, or is there a requirement for separate certificates to be imported? 

 

I would appreciate if someone can advise the most straighforward way to achieve this, or at least test it out.

 

FortiDave_1-1655905323690.png

 

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/266506/ssl-vpn-with-certificate-authenti...

 

3 REPLIES 3
Markus_M
Staff
Staff

Hello FortiDave,

 

when working with certificates you will often see a CA certificate and a server/client certificate.

Server certificates will identify that particular service, Client certificates do the same for the client.

CA certificates are the ones signing a client/server certificate.

This setup, following the public key infrastructure, PKI will lead do a node sending a certificate and the other node will have the CA certificate that helps to verify that the servers certificate is the one that it claims to be - it is signed by a trusted CA.

This principle is exactly the same as you would see one most websites, same is this one. On the browser bar check that padlock sign, click it and navigate through to see the certificates.

There will be a server certificate and another CA certificate, typically an intermediate certificate between the two.

 

But yes, these parts need to be done ideally to trust your certificate infrastructure.

 

The clients will need client certificates generated with their usernames.

The CA certificate that signed these certificates will have to be installed on the FGT.

 

Best regards,

 

Markus

FortiDave
New Contributor III

Appreciate the detailed response Markus.

 

Would it be possible to simplfy the encryption by using a PSK to encrypt traffic, and a certificate for auth only - or is that even achievable?

Markus_M

Hi Dave,

 

on SSLVPN there is no PSK. IPsec has one, and you could authenticate with a certificate.

One misconception about authentication is that many do not consider against what userDB to authenticate. There is a client asking for authentication, there must be another end that verifies the authentication.

 

If you have a PSK you have two or more devices authenticating typically to each other. There is no real userDB. There is a device that knows the key - done.

 

If you use certificates or username/password you will have to tell these details to another entity that has the database for it. Where are users stored. Where is the certificate being verified and if so, how?

 

A certificate can and is often only verified against the signing CA certificate in which case your "userDB" is the trusted root CA store.

If the certificate is further read with contents of the subject containing username, you need to be able to verify the username against another userDB again.

 

That DB is either your FortiGate directly (section "config user peer") or another server, via RADIUS or LDAP (as Microsoft Active Directory for example).

 

More practical, less rant:

For certificate based authentication you equip the client with certificates and need to see how to get certificates on that client. For smartphones you will need some sort of MDM solution. Windows has its MDM solution, which is the device is joined to the domain.

The FortiGate can then verify the certificates (config user peer, refer the users/groups in policies AND SSLVPN portal settings) you set on the FortiClient for the SSLVPN authentication.

 

Best regards,

 

Markus

Labels
Top Kudoed Authors