(Computer) client certificate validation

Magion · ‎04-02-2020

Hi,

I have a working SSLVPN solution where I use client validation to check for a computer certificate from our internal PKI on the client. Domain computers get a certificate using autoenrollment policies and the root certificate is stored on the Fortigate. By enabling users to select the computer certificate in FortiClient during login, they can select the right certificate, which can be validated by Fortigate. So far so good...

The problem is, any certificate/key pair on the client, with a matching root on the Fortigate passes certificate validation. Since we use Lets Encrypt certificates, I uploaded the root of LE onto the Fortigate. If I install any valid LE certificate on the client, this certificate is also accepted.

Fortigate accepts any valid certificate for which it has a root certificate installed.

Is there a way to limit validation to specific root certificate(s)? Or perhaps check on specific certificate details?

Using only Fortigate, no other Fortinet products.

User authentication is done entirely on a remote Radius server, so no local/ldap/radius users defined.

FortiOS 6.0.5, FortiClient 6.0.8

Thx,

Michel

Magion · ‎04-15-2020

Just got word from support again. The gave me this link: https://kb.fortinet.com/kb/documentLink.do?externalID=FD47120.

Although I find the example config a bit confusing, it seems like what I want to accomplish might be possible... but only from FortiOS 6.2.2+. We are still on 6.0.5.

View solution in original post

emnoc · ‎04-21-2020

Here's what I'm talking about in auth-rule

config vpn ssl settings set reqclientcert enable set ssl-min-proto-ver tls1-1 set servercert "Fortinet_Factory" set tunnel-ip-pools "SSLVPN_POOL_1" set port 8443 config authentication-rule edit 1 set source-interface "wan1" set source-address "all" set users "user1" set portal "full-access" set client-cert enable set user-peer "socpuppets" next end end

The set user-peer is your CA with or without the subject

PCNSE

NSE

StrongSwan

View solution in original post

emnoc · ‎04-21-2020

Hey, I just wanted to say I test it by only using the CA and no cn or subject string so it worked What I did was use the web-acecs and firefox and called up a inferior certificate that did NOT match the "config user peer"

So if you are issuing certificates from a privateCA, just 1> import the ca into the firewall 2> sign all users with that CA >3 and set a "config user peer" and finally use that peer in the auth-rule.

It should work and lock down the sslvpn. If the client presents no certificate or a certficate that is not signed by the CA you defined , the ssl will reject that connect. You will see this on a "diag debug application sslvpnd -1"

e.g

[23346:root:3b]rmt_web_auth_info_parser_common:470 no session id in auth info [23346:root:3b]rmt_web_access_check:723 access failed, uri=[/remote/logincheck],ret=4103, [23346:root:3b]User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0 [23346:root:3b]rmt_logincheck_cb_handler:1189 user 'user1' has a matched local entry. [23346:root:3b]sslvpn_auth_check_usrgroup:2039 forming user/group list from policy. [23346:root:3b]sslvpn_auth_check_usrgroup:2145 got user (1) group (0:0). [23346:root:3b]sslvpn_validate_user_group_list:1642 validating with SSL VPN authentication rules (1), realm (). [23346:root:3b]sslvpn_validate_user_group_list:1690 checking rule 1 cipher. [23346:root:3b]sslvpn_validate_user_group_list:1698 checking rule 1 realm. [23346:root:3b]sslvpn_validate_user_group_list:1709 checking rule 1 source intf. [23346:root:3b]sslvpn_validate_user_group_list:1730 checking rule 1 source address. [23346:root:3b]sslvpn_validate_user_group_list:1845 rule 1 done, got user (1:1) group (0:0) peer group (0). [23346:root:3b]sslvpn_validate_user_group_list:1963 got user (1:1), group (0:0) peer group (0). [23346:root:3b]fam_cert_send_req:808 do certificate peer check first(2). [23346:root:3b]doing certificate checking for 1 peer(s). [23346:root:3b]sslvpn_update_user_group_list:1579 Remove user(s) which has set user-peer (1). [23346:root:3b]sslvpn_update_user_group_list:1595 got user (0:0), group (0:0), peer group (0) after update. [23346:root:3b]__auth_cert_cb:939 no valid user/group candidate found.

PCNSE

NSE

StrongSwan

View solution in original post

Agent_1994 · ‎04-24-2020

Magion,

I did something like this in my lab. All the users are Active Directory users:

config user peer edit "peer1" set ca "home_lab" set subject ".hydra.local" next end

In plain english, this is "certificate must belong to the home_lab CA and it's subject must have .hydra.local". The latter is the FQDN matching trick I told you.

Next I created a realm "portal1" and did this:

config user ldap edit "DC" set server "dc.home.lab" set cnid "userPrincipalName" set dn "dc=home,dc=lab" set type regular set username "HOME\\fortigateLDAP" set password [removed] next end

config user group edit "vpn" set member "DC" config match edit 1 set server-name "DC" set group-name "CN=VPN,OU=User Accounts,DC=home,DC=lab" next end next end

config vpn ssl settings config authentication-rule edit 1 set groups "vpn" set portal "full-access" set realm "portal1" set client-cert enable set user-peer "peer1" next end end

The test were:

[ul]

user + no certificate: fail

user + any user certificate from home_lab CA: fail

user + any computer certificate from home_lab CA: works

user (wrong credentials) + any computer certificate from home_lab CA: fail

user + any certificate from a CA other than home_lab: fail[/ul]

Hope this helps

Max

View solution in original post

Magion · ‎04-21-2020

Unfortunately "set user-peer" is not available with firmware 6.0.5.

(edit: just checked, this command was added in 6.2.2)

Some time ago we decided not to upgrade (and to be honest right now I'm glad we didn't after seeing so many people complain about rdp/tcp disconnects with sslvpn), but I think we will have to reconsider if we want to fix the client certificate issue.

Thanks so far for all the help en info!

emnoc · ‎04-22-2020

I'm really surprise it's not in 6.0.x. What I retested last night was done in 6.2.3 btw. So that cfg works if you want to locked down sslvpn and with client-certificate that he/she selects within the fclient. We have contractors that are using Android FC users and this works very good btw.

I would look at upgrading, 6.2.x is pretty much stable and unless your on some oldstuff, you should upgrade. I'm holding out for a few 6.4.x maintenance releases to come out before we even tackle 6.4. in production.

Ken Felix

PCNSE

NSE

StrongSwan

boneyard · ‎04-23-2020

[edit] ignore all that if you read it

doesnt work as expected. the setup with putting remote auth server and user peer in one group allows for a certificate from another CA as long as your remote auth then passes.

in the end it seems like this simply isn't possible correctly against remote auth in 6.0. it seems to work if you use the right credentials and client certificate. but you are able to use combinations which shouldn't be possible.

emnoc · ‎04-23-2020

I don't follow you, but if you want to control the client-certificate that is accept you need a peerid and set that in a authentication rule and that works. I will write a post on my blog about that. This will locked down the ssl vpn client from presenting any certificate but one issued by your defined CA.

I just didn't realize this is only available in v6.2.x or higher.

Ken Felix

PCNSE

NSE

StrongSwan

boneyard · ‎04-23-2020

thanks Ken, i saw the way it will work in 6.2

i was still trying to get it to work in 6.0 to understand how things worked there. i thought i had a working solution and then found out i missed something.

so all good.

Tiago_Aquino · ‎04-13-2021

emnoc wrote:
The set user-peer is your CA with or without the subject

That was the catch for me... I was facing the same problem with ldap.. Thank you so much for replying to this post..

Now it's working:

config user peer
    edit "VPNSSL_USER_PEER"
        set ca "G_CA_Cert_1"
    next
end

config user group
    edit "VPNSSL_USER_GROUP"
        set member "ldap_server"
        config match
            edit 1
                set server-name "ldap_server"
                set group-name "cn=some_group,ou=vpn,ou=app,ou=grp,ou=acc,O=org,C=cc"
            next
        end
    next
end
config vpn ssl settings
    set servercert "cert"
    set source-interface "wan1"
    set default-portal "web-access"
    config authentication-rule
        edit 1
            set groups "VPNSSL_USER_GROUP"
            set portal "full-access"
            set client-cert enable
            set user-peer "VPNSSL_USER_PEER"
        next
    end
end

How come the only place I found the answer is a forum? We should have a KB about it..

garyhope · ‎09-13-2021

I have the same issue with the VPN and want to be able to use Computer certs (before login) as well as user certs. The config I current have only works for user certs:

config user peer edit "user1" set ca "csf_CA_Cert_1" set ldap-server "testLDAP" set ldap-mode principal-name next end

config user group edit "sslvpn-group" set member "testLDAP" "user1" config match edit 1 set server-name "testLDAP" set group-name "CN=sslvpn-1,OU=Groups,OU=test,DC=test,DC=local" next edit 2 set server-name "testLDAP" set group-name "CN=sslvpn-nc,OU=Groups,OU=test,DC=test,DC=local" next end

config vpn ssl settings set reqclientcert enable set servercert "Web" set default-portal "Portal" config authentication-rule edit 1 set groups "sslvpn-group" set portal "Portal" next end end

However if I change it to:

config user peer edit "user1" set ca "csf_CA_Cert_1" next end

config user group

edit "sslvpn-group" set member "test-LDAP" config match edit 1 set server-name "test-LDAP" set group-name "CN=sslvpn-1,OU=Groups,OU=test,DC=test,DC=local" next edit 2 set server-name "test-LDAP" set group-name "CN=sslvpn-nc,OU=Groups,OU=test,DC=test,DC=local" next end next end

config vpn ssl settings set servercert "WebCert" set default-portal "Portal" config authentication-rule edit 1 set groups "sslvpn-group" set portal "Portal" set client-cert enable set user-peer "user1" next end end

It does not work for either user or computer certs. Could someone please advise?

many thanks

Agent_1994 · ‎04-24-2020

Magion,

I did something like this in my lab. All the users are Active Directory users:

config user peer edit "peer1" set ca "home_lab" set subject ".hydra.local" next end

In plain english, this is "certificate must belong to the home_lab CA and it's subject must have .hydra.local". The latter is the FQDN matching trick I told you.

Next I created a realm "portal1" and did this:

config user ldap edit "DC" set server "dc.home.lab" set cnid "userPrincipalName" set dn "dc=home,dc=lab" set type regular set username "HOME\\fortigateLDAP" set password [removed] next end

config user group edit "vpn" set member "DC" config match edit 1 set server-name "DC" set group-name "CN=VPN,OU=User Accounts,DC=home,DC=lab" next end next end

config vpn ssl settings config authentication-rule edit 1 set groups "vpn" set portal "full-access" set realm "portal1" set client-cert enable set user-peer "peer1" next end end

The test were:

[ul]

user + no certificate: fail

user + any user certificate from home_lab CA: fail

user + any computer certificate from home_lab CA: works

user (wrong credentials) + any computer certificate from home_lab CA: fail

user + any certificate from a CA other than home_lab: fail[/ul]

Hope this helps

Max

Magion · ‎04-28-2020

Thank you for the example. Will keep this in mind...

mkolus wrote:
Set user-peer "peer1"

But as I found out, unfortunately set peer-user was added in 6.2.2 while we are still on 6.0.5. So I have to wait until I can safely upgrade.

Noureddine · ‎04-14-2022

Hi Bro ,

i need configuration for computer certificate authentication only, can u help me ?

(Computer) client certificate validation

Nominate a Forum Post for Knowledge Article Creation